FortiGuard Outbreak Alerts
Tactical steps to mitigate the latest cybersecurity attacks
Overview
When a cybersecurity incident/attack/event occurs that has large ramifications to the cybersecurity industry and affects numerous organizations, FortiGuard Outbreak Alerts will be the mechanism for communicating important information to Fortinet's customers and partners. These Outbreak Alerts will help you understand what happened, the technical details of the attack and how organizations can protect themselves from the attack and others like it.
The Alert will include:
- Details of the attack including timeline, technology affected, and where applicable patches/ mitigation recommendations can be found
- Recommended Fortinet products that would break the attack sequence, and threat hunting tools to help you determine if you were affected
- Additional related research from FortiGuard Labs
Click here to learn more about our FortiGuard suite of market-leading, AI-enabled security capabilities.
Subscribe today to have outbreak alerts delivered to your inbox
Cyberattacks can occur at any time. The number of outbreak alerts you receive can vary anywhere from once per month to several times per week.
Active Outbreak Alerts
When a cybersecurity attack with large ramifications affects numerous organizations, FortiGuard Outbreak Alerts are here to help you understand what happened, learn the technical details of the attack, and how you can protect yourself now and in the future.
Apr 25, 2024
Severity: high
C-DATA Web Management System RCE Attack
Attack Type: Attack
What is the C-DATA Web Management System RCE Attack?
FortiGuard Labs observed a critical level of attack attempts in the wild targeting a 2-year-old vulnerability found on C-DATA Web Management System. The vulnerability CVE-2022-4257 allows a remote attacker to execute arbitrary commands on the target system. Read more
What is the FortiGuard Labs analysis?
FortiGuard Labs telemetry shows attack attempts on over 40,000+ unique IPS devices in the week of the release of this outbreak. The majority of the blocked attacks are from IPS devices located in Japan, the United States, and Australia. The exploit has been available publicly, and as of now, we are not aware of any patches available from the vendor.
How does Fortinet detect and protect against the attack?
- To detect and block any traffic targeting the related vulnerability, the FortiGuard IPS signature is available.
- To detect and block known malware related to the vulnerability, the FortiGuard AV signatures are available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides an automatic event handler and reports via FortiAnalyzer.
- Indicators of Compromise Service are available for Threat Hunting via FortiAnalyzer, FortiSIEM, and FortiSOAR.
- Automated post-execution, threat detection, and response against advanced threats such as fileless threats using behavior-based detection via FortiSandbox and FortiXDR.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection, and protection, as well as how to respond, recover, and identify the attack. Read less
Apr 22, 2024
Severity: high
Akira Ransomware
Attack Type: Ransomware
What is the Akira Ransomware?
First detected in March/April of 2023, this ransomware group primarily focuses on small to medium-sized businesses, driven by financial motives. Like other notorious ransomware, Akira utilizes familiar tactics such as Ransomware-as-a-Service and double extortion to maximize their profits. The ransomware uses virtual private network (VPN) service without multifactor authentication (MFA)- mostly using known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269, external-facing services such as Remote Desktop Protocol, spear phishing, and the abuse of valid credentials. Read more
What is the FortiGuard Labs analysis?
FortiGuard Labs continues to observe detections in the wild related to the Akira ransomware group. According to the new report by CISA, it has targeted over 250 organizations since early 2023, affecting numerous businesses and critical infrastructure entities across North America, Europe, and Australia. The gang has made over $42 million from the attacks as ransom payments.
How does Fortinet detect and protect against Akira Ransomware?
- To detect and block known malware related to the Akira Ransomware, the FortiGuard AV signatures are available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides an automatic event handler and reports via FortiAnalyzer.
- Indicators of Compromise Service are available for Threat Hunting via FortiAnalyzer, FortiSIEM, and FortiSOAR.
- Automated post-execution, threat detection, and response against advanced threats such as fileless threats and ransomware using behavior-based detection via FortiSandbox and FortiXDR.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Apr 15, 2024
Severity: critical
PAN-OS GlobalProtect Command Injection Vulnerability
Attack Type: Attack
What is the PAN-OS GlobalProtect Command Injection Attack?
The attack identified as CVE-2024-3400 allows a malicious actor to exploit an unauthenticated OS Command Injection vulnerability on PAN-OS GlobalProtect devices. The vulnerability has a CVSS score of 10.0. CISA has issued an alert adding the vulnerability to the Known Exploited Vulnerability catalog. Read more
What is the FortiGuard Labs analysis?
The command injection vulnerability exists in the GlobalProtect of the PAN-OS devices. Once connection is established, the attacker can install a custom Python backdoor, pivot into the internal networks and exfiltrate data.
How does Fortinet detect and protect against the attack?
- To detect and block any network attack targeting the related vulnerability, the FortiGuard IPS signature is available.
- To detect and block any malware delivery after post-exploitation, the FortiGuard AV signatures are available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides an automatic event handler and reports via FortiAnalyzer.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Apr 9, 2024
Severity: high
Sunhillo SureLine Command Injection Attack
Attack Type: OT/ICS
What is the Sunhillo SureLine Command Injection Attack?
The attack on Sunhillo SureLine identified as CVE-2021-36380 allows a malicious actor to exploit an unauthenticated OS Command Injection vulnerability. Once connection has been established, the attacker can gain command over the targeted system and potentially achieving full system compromise. The Sunhillo products handles the surveillance data distribution systems for the Federal Aviation Administration, US Military, civil aviation authorities, and national defense organizations. Read more
What is the FortiGuard Labs analysis?
The vulnerability exists in the Sureline software due to improper input validation in the "ipAddr" and "dnsAddr" parameters. That allows an attacker to manipulate the resulting command by injecting a valid OS command input allowing the establishment of an interactive remote shell session.
Since October 2023, the FortiGuard has protection coverage against this vulnerability. Exploitation attempts has been intercepting attack attempts averaging at a thousand per day. Also, the Mirai malware is used as a payload for further infiltration. It is recommended to apply a firmware patch as recommended by the vendor to fully mitigate any risks.
CISA has issued an alert that the vulnerability has been added to the Known Exploited Vulnerability catalog.
How does Fortinet detect and protect against the attack?
- To detect and block any network attack targeting the related vulnerability, the FortiGuard IPS signature is available.
- To detect and block any malware delivery after post-exploitation, the FortiGuard AV signatures are available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides an automatic event handler and reports via FortiAnalyzer.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Mar 27, 2024
Severity: medium
Nice Linear eMerge Command Injection Vulnerability
Attack Type: Vulnerability
What is the Nice Linear eMerge Command Injection Vulnerability?
The vulnerability tracked as CVE-2019-7256 is a command injection flaw that could allow an attacker to cause remote code execution and get full access to the system. The Nice Linear eMerge E3-Series is a popular access control system used in various commercial and industrial environments worldwide which underscores the importance of the potential widespread impact of this vulnerability. Read more
What is the FortiGuard Labs analysis?
Since January of this year, the IPS signature designed to safeguard against CVE-2019-7256 has been intercepting attack attempts, blocking such incidents on around 1000 distinct IPS devices daily. FortiGuard Labs continues to see attack attempts targeting the CVE-2019-7256 and has an existing IPS signature to block any attack attempts. However, it is recommended to apply a firmware patch as recommended by the vendor to fully mitigate any risks.
How does Fortinet detect and protect against Nice Linear eMerge Command Injection?
- To detect and block any traffic targeting the related vulnerability, the FortiGuard IPS signature is available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides an automatic event handler and reports via FortiAnalyzer.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Feb 27, 2024
Severity: critical
ConnectWise ScreenConnect Attack
What is ConnectWise ScreenConnect Attack?
Threat actors including ransomware gangs are seen exploiting newly discovered critical flaws in remote monitoring and management software called ScreenConnect. The first flaw, CVE-2024-1709 is an authentication bypass vulnerability that could let attackers gain administrative access to a ScreenConnect instance. The second flaw tracked as CVE-2024-1708 is a path traversal vulnerability that may allow an attacker to execute remote code. Read more
What is the FortiGuard Labs analysis?
This widely used software could pose a significant threat to hundreds of thousands of end users' systems that could be targeted downstream and can allow hackers to remotely plant malicious code on vulnerable ConnectWise instances.
How does Fortinet detect and protect against ConnectWise ScreenConnect Attack?
- To detect and block any traffic targeting the related vulnerability, the FortiGuard IPS signature is available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports via FortiAnalyzer.
- Indicators of Compromise Service is available for Threat Hunting via FortiAnalyzer, FortiSIEM and FortiSOAR.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Jan 23, 2024
Severity: critical
Ivanti Connect Secure and Policy Secure Attack
What is Ivanti Connect Secure and Policy Secure Attack?
Ivanti disclosed two zero-day vulnerabilities in their Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. CVE-2023-46805 is a vulnerability found in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This authentication bypass vulnerability allows a remote attacker to access restricted resources by bypassing control checks. While CVE-2024-21887 is a command injection vulnerability in the same web components. Read more
What is the FortiGuard Labs analysis?
The CVE-2023-46805 and CVE-2024-21887 vulnerabilities are coupled together to perform exploitation on servers running on the Ivanti software. The attack does not require authentication and enables a threat actor to send malicious requests and execute arbitrary commands on the system for further exploitation. FortiGuard Labs has observed high exploitation attempts since the release of the signature to detect and block the Ivanti ICS Authentication Bypass vulnerability (CVE-2023-46805). FortiGuard Labs recommends administrators to follow vendor’s mitigation steps and apply patches as soon as they are provided.
How does Fortinet detect and protect against the Ivanti Connect Secure and Policy Secure Authentication Bypass Attack?
- To detect and block any traffic targeting the related vulnerability, the FortiGuard IPS signature is available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports via FortiAnalyzer.
- Indicators of Compromise Service is available for Threat Hunting via FortiAnalyzer, FortiSIEM, and FortiSOAR.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Jan 17, 2024
Severity: high
Androxgh0st Malware Attack
What is Androxgh0st Malware Attack?
FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks. Read more
What is the FortiGuard Labs analysis?
AndroxGh0st malware is a python-based malware, which primarily targets user environment (.env) files. These files may contain credentials for various high-profile applications such as AWS, O365, SendGrid, and Twilio. AndroxGh0st has numerous malicious functions to abuse SMTP, scan and exploit exposed credentials and APIs, and deploy web shell to maintain persistent access to systems.
How does Fortinet detect and protect against the Androxgh0st Malware Attack?
- To detect and block any traffic targeting the related vulnerabilities, the FortiGuard IPS signature is available.
- To detect the known malware related to the Androxgh0st Malware, the FortiGuard Antivirus signatures are available.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports via FortiAnalyzer.
- To perform Threat Hunting, the Indicators of Compromise Service is available via FortiAnalyzer, FortiSIEM and FortiSOAR.
- To detect and block unknown variants of Malware, FortiGuard behavior detection engine is available via FortiEDR/XDR and FortiSandbox.
- To detect vulnerable systems related to AndroxGh0st Malware Attack, the Endpoint Vulnerability Service is provided by FortiClient.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Jan 16, 2024
Severity: high
Adobe ColdFusion Access Control Bypass Attack
What is Adobe ColdFusion Access Control Bypass Attack?
FortiGuard labs observed extremely widespread exploitation attempts relating to security bypass vulnerabilities in Adobe ColdFusion. With IPS detections reaching up- to 50,000+ unique detections in January 2024. Read more
What is the FortiGuard Labs analysis?
The vulnerabilities (CVE-2023-26347, CVE-2023-38205, CVE-2023-29298) allow an attacker to bypass the Secure Profile feature that restricts external access to the ColdFusion Administrator. Successful exploitation could result in access to the ColdFusion Administration endpoints and attackers could further exploit and chain CVE-2023-38203 to achieve remote code execution attacks.
How does Fortinet detect and protect against the Adobe ColdFusion Access Control Bypass Attack?
- To detect and block any traffic targeting the Adobe ColdFusion Access Control Bypass, the FortiGuard IPS provides protection.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports.
- To identify systems vulnerable to Adobe ColdFusion Access Control Bypass vulnerabilities, FortiClient provides the FortiGuard Endpoint Vulnerability Service.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Jan 10, 2024
Severity: high
Microsoft SharePoint Server Elevation of Privilege Vulnerability
What is Microsoft SharePoint Server Elevation of Privilege Vulnerability?
The vulnerability tracked under CVE-2023-29357 is an authentication bypass vulnerability that adversaries may use to escalate privileges on affected installations of Microsoft SharePoint Server. Attackers may chain the vulnerability with other vulnerabilities for remote code execution to compromise the integrity, availability, and confidentiality of the target system. Read more
What is the FortiGuard Labs analysis?
Microsoft SharePoint Server vulnerability (CVE-2023-29357) is actively being exploited. FortiGuard labs telemetry shows Government, Telco and Education industries being targeted. Due to the availability of the Proof of Concept (PoC) publicly and active exploitation attempts. FortiGuard Labs recommends users to apply patches to vulnerable systems as soon as possible.
How does Fortinet detect and protect against the Microsoft SharePoint Server Elevation of Privilege Vulnerability?
- To detect and block any traffic targeting the Microsoft SharePoint Server Elevation of Privilege Vulnerability, the FortiGuard IPS provides protection.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports.
- To identify systems vulnerable to Microsoft SharePoint Server Elevation of Privilege Vulnerability, the FortiGuard Endpoint Vulnerability Service is provided by FortiClient.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Dec 14, 2023
Severity: high
JetBrains TeamCity Authentication Bypass Attack
What is JetBrains TeamCity Authentication Bypass Attack?
Multiple threat actors are seen exploiting the authentication bypass flaw in JetBrains TeamCity that could lead to remote code execution. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Read more
What is the FortiGuard Labs analysis?
In the recent threat research by FortiGuard Labs, it was discovered that APT29 was seen exploiting CVE-2023-42793. The behavior of the malware used in post-exploitation matches the Graphical Proton malware used by APT29. The attack was through the exploitation of the CVE-2023-42793 TeamCity vulnerability using a custom-built exploit script written in Python.
How does Fortinet detect and protect against Lazarus RAT Attack?
- To detect and block any traffic targeting the JetBrains TeamCity Authentication Bypass vulnerability, the FortiGuard IPS provides protection.
- To detect the known malware related to the campaign, the FortiGuard Antivirus provides protection.
- To detect and block users from connecting to malicious domains, IPs and URLs, the FortiGuard Anti-botnet service and Web Filtering service provides protection.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports.
- The FortiGuard Indicators of Compromise Service is available for Threat Hunting via FortiAnalyzer, FortiSIEM and FortiSOAR.
- To detect and block unknown variants of malware, FortiGuard behavior detection engine is available via FortiSandbox and FortiEDR/XDR.
- To identify systems vulnerable to the JetBrains TeamCity Authentication Bypass, the FortiGuard Endpoint Vulnerability Service is provided by FortiClient.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Dec 12, 2023
Severity: high
Lazarus RAT Attack
What is Lazarus RAT Attack?
A new attack campaign led by the Lazarus threat actor group is seen employing new DLang-based Remote Access Trojan (RAT) malware. The attack attempts to exploit the Apache Log4j2 vulnerability (CVE-2021-44228) as initial access. Once compromised, it eventually creates a command and control (C2) channel. Read more
What is the FortiGuard Labs analysis?
According to the FortiGuard telemetry, there is a significant increased activity in the IPS detection of up-to 65,000+ unique IPS devices in December. However, this particular campaign is just one of the instances where threat actors are still actively targeting the Log4j2 vulnerability and using it as an initial access due to its widespread usage. In this case, the APT actors were seen implanting Remote Access Trojan (RAT) malware on the infected systems and its activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, running/terminating processes etc.
How does Fortinet detect and protect against Lazarus RAT Attack?
- To detect and block any traffic targeting the Log4j2 vulnerability, the FortiGuard IPS provides protection.
- To detect the known RAT malware related to the Lazarus campaign, the FortiGuard Antivirus provides protection.
- To detect and block users from connecting to malicious domains, IPs and URLs, the FortiGuard Anti-botnet service and Web Filtering service provides protection.
- To detect and respond to the attack, the FortiGuard Outbreak Detection service provides automatic event handler and reports.
- The FortiGuard Indicators of Compromise Service is available for Threat Hunting via FortiAnalyzer, FortiSIEM and FortiSOAR.
- To detect and block unknown variants of RAT malware, FortiGuard behavior detection engine is available via FortiSandbox and FortiEDR/XDR.
- To identify systems vulnerable to the Apache Log4j2, the FortiGuard Endpoint Vulnerability Service is provided by FortiClient.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Nov 6, 2023
Severity: high
Apache ActiveMQ Ransomware Attack
What is Apache ActiveMQ Ransomware Attack?
Ransomware attackers are targeting servers running outdated and vulnerable versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604). Read more
What is the FortiGuard Labs analysis?
CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ's OpenWire transport connector. Successful exploitation allows an attacker to execute arbitrary code with the same privileges of the ActiveMQ server. As technical details on exploiting CVE-2023-46604 are publicly available, applying the security updates should be prioritized.
How does Fortinet detect and protect against ActiveMQ Ransomware Attack?
- To detect and block the ransomware attack targeting the vulnerability (CVE-2023-46604), FortiGuard’s AV signatures are available.
- To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
- To detect vulnerable Apache ActiveMQ systems, the Endpoint Vulnerability Service is provided by FortiClient.
- To detect and block unknown variants of ransomware/malware FortiGuard behavior detection engine is available via FortiEDR/XDR and FortiSandbox.
- FortiGuard Labs have blocked the known IoCs related to these attacks via the Web filtering service.
- Indicators of Compromise Service is available for Threat Hunting via FortiAnalyzer and FortiSIEM.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Nov 2, 2023
Severity: high
Citrix Bleed Attack
What is Citrix Bleed Attack?
The Citrix Bleed Attack targets the Citrix NetScaler Application Delivery Controller and NetScaler Gateway appliances. The attack exploits a buffer overflow vulnerability that can result in a takeover of legitimate user sessions on the appliances. The session takeover bypasses password and multi-factor authentication. Read more
What is the FortiGuard Labs analysis?
The exploitation could allow threat actors the ability to hijack existing authenticated sessions, allowing them to bypass multifactor authentication (MFA). FortiGuard has blocked a thousand attack attempts on network devices on a daily basis.
How does Fortinet detect and protect against the Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability?
- To detect and block the attack targeting the vulnerability, FortiGuard provides IPS signature “HTTP.Header.Overly.Long.Host.Field.Value”
- To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Oct 20, 2023
Severity: critical
Cisco IOS XE Web UI Attack
What is Cisco IOS XE Web UI Vulnerability?
A newly identified vulnerability on the Web UI of the Cisco IOS XE is exploited in the wild. It is a privilege escalation vulnerability tracked under CVE-2023-20198. Read more
What is the FortiGuard Labs analysis?
The vulnerability targets the Web UI of the Cisco IOS XE devices. The exploitation could allow a remote, unauthenticated attacker to create an administrative account on the affected system. The attacker can then use that account to gain control of the whole system, install a backdoor to the device and further infiltrate the network.
How does Fortinet detect and protect against the Cisco IOS XE Web UI Privilege Escalation Vulnerability?
- To detect and block any traffic targeting the backdoor installed on the Cisco devices, the FortiGuard IPS provides a signature update.
- To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Oct 13, 2023
Severity: high
HTTP/2 Rapid Reset Attack
What is HTTP/2 Rapid Reset Attack?
A newly identified Distributed Denial-of-Service (DDoS) attack technique is used in the wild. This DDoS attack, known as ‘HTTP/2 Rapid Reset’, leverages a flaw in the implementation of protocol HTTP/2. Read more
What is the FortiGuard Labs analysis?
This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests, to generate a high volume of traffic on the targeted HTTP/2 servers. Attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.
How does Fortinet detect and protect against the HTTP/2 Rapid Reset Vulnerability?
The maliciously crafted request to the server is detected by the FortiGuard IPS and Client Application Firewall as an attack attempt to exploit the vulnerability.
The Web servers running the vulnerable version of HTTP/2 is detected by the Endpoint Vulnerability to provide visibility on attack surface.
FortiGuard recommends using application layer protection service such as Web Application Firewall (WAF) by FortiWeb to protect web applications against network attacks and using Application Delivery service by FortiADC for load balancing and generally improving security posture.
Additionally, FortiWeb customers should use HTTP Protocol Constraints to define/reduce the max number of requests per client. See the instruction listed on this article.
To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website, it provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Oct 4, 2023
Severity: high
Google Chromium WebP Vulnerability
What is Google Chromium WebP Vulnerability?
The critical vulnerability exploits a buffer overflow on the Google Chromium WebP library. The library is used by several popular applications such as Google Chrome, Microsoft Edge, Microsoft Teams, Mozilla Firefox and Mozilla Thunderbird that are all affected by the vulnerability. Read more
The critical vulnerability exploits a buffer overflow on the Google Chromium WebP library. The library is used by several popular applications such as Google Chrome, Microsoft Edge, Microsoft Teams, Mozilla Firefox and Mozilla Thunderbird that are all affected by the vulnerability. Read more
What is the FortiGuard Labs analysis?
The vulnerability is exploited via a crafted image in WebP file-format on popular browsers and applications. A successful exploitation can impact the affected applications to crash or lead to arbitrary code execution.
How does Fortinet detect and protect against the WebP vulnerability?
- The maliciously crafted image is detected by the FortiGuard IPS and Client Application Firewall as an attack attempt to exploit the vulnerability.
- The vulnerable browsers and applications are detected by the Endpoint Vulnerability to provide visibility on attack surface.
- To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website that provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. Read less
Sep 7, 2023
Severity: high
Agent Tesla Malware Attack
FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant
What is Agent Tesla Malware?
Agent Tesla made its debut in 2014 as Microsoft Windows executable malware. Since then, numerous iterations of this malware have been released. The latest attack is compressed and obfuscated to evade antivirus detections. The malware attack has been active with daily detections of several thousand maliciously crafted Microsoft Office files. Read more
Agent Tesla made its debut in 2014 as Microsoft Windows executable malware. Since then, numerous iterations of this malware have been released. The latest attack is compressed and obfuscated to evade antivirus detections. The malware attack has been active with daily detections of several thousand maliciously crafted Microsoft Office files. Read more
What is the FortiGuard Labs analysis?
The Agent Tesla malware attack is initiated through a phishing email with an attached Microsoft Office file. The attached file is crafted to exploit a vulnerability and execute malicious code. The code subsequently downloads additional malware that contains the payload to specifically steal saved credentials, log keystrokes, and take screenshots of the desktop.
How does Fortinet detect and protect against Agent Tesla?
- The email used in the attack is detected as phishing by FortiGate and FortiMail via the FortiGuard Antispam service.
- The attached file and downloaded payload are detected as malware by FortiGate, FortiClient, and FortiMail using FortiGuard Antivirus and Sandbox services.
- The URL site hosting the payload is detected and rated as a malicious website by FortiGate via the FortiGuard Web Filtering service.
- To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
Where can I find additional information?
An Outbreak Alert report is posted on the FortiGuard Labs website that provides details on all the FortiGuard services that provide detection and protection, as well as how to respond, recover, and identify the attack. You can also read the blog for a comprehensive technical analysis of the malware attack. Read less
Aug 21, 2023
Severity: high
Adobe ColdFusion Actively Targeted
What is Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilities?
Adobe ColdFusion is actively exploited through Deserialization of Untrusted Data vulnerabilities. The untrusted data can be used to abuse application logic, deny service, or execute arbitrary code and can affect the availability, access and authorization of the system. Adobe ColdFusion is a commercial web-application and mobile applications development platform. Exploitation of this vulnerability does not require any user interaction. CISA has issued an advisory for these vulnerabilities and added to their Known Exploited Vulnerabilities (KEV) list. Read more
What is the FortiGuard Labs analysis?
The insecure deserialization vulnerability on Adobe Systems ColdFusion is initiated through a remote client with a maliciously crafted server request. The attack on vulnerable versions of ColdFusion can lead to arbitrary code execution.
How does Fortinet detect and protect against Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilities?
- The maliciously crafted request to the ColdFusion server is detected by the FortiGate via the FortiGuard IPS service.
- To detect and respond to the attack, FortiAnalyzer via the FortiGuard Outbreak Detection service provides automatic event handler and reports.
Where can I find additional information?
Click on the Outbreak Details link below to learn more about the attack and how FortiGuard services provides detection and protection against the attacks, as well as how to identify, respond and recover from the attack. Read less
Aug 10, 2023
Severity: high
Ivanti Endpoint Manager Mobile Authentication Bypass
Attack Type: Authentication Bypass Vulnerability
Effect: Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths and a path traversal vulnerability. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system, as well as install software and modify security profiles on registered devices.
Aug 9, 2023
Severity: medium
Zyxel Router Command Injection Attack
Attack Type: Command Injection Vulnerability
Effect: Actively targeted end-of-life router in the wild. A command injection vulnerability (Zyxel P660HN-T1A v1) in the Remote System Log forwarder function of firmware version 3.40 (ULM.0) b3 could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.
Jul 26, 2023
Severity: medium
WooCommerce Payments Improper Authentication Vulnerability
Attack Type: Vulnerability
Effect: WooCommerce (version 4.8.0 through 5.6.1), a popular e-commerce payment plugin for WordPress sites designed for small to large-sized online merchants, has been affected by an authentication bypass vulnerability. Successful exploitation of the vulnerability could allow an unauthorized attacker to gain admin privileges on the WordPress websites potentially leading to the site takeover, impersonate arbitrary users, including an administrator.
Jul 17, 2023
Severity: high
Microsoft Office and Windows HTML RCE Vulnerability
Attack Type: Vulnerability, Attack
Effect: Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, a remote code execution vulnerability exploited via specially crafted Microsoft Office documents spread using phishing techniques.
Jul 6, 2023
Severity: high
SolarView Compact Command Injection Vulnerability
Attack Type: Vulnerability, OT/ICS
Effect: FortiGuard Labs observed a huge spike in attack attempts relating to a command injection vulnerability in SolarView Compact (Solar power generation monitoring system) with upto more than 18,000+ unique IPS detections in the month of July 2023. The exploit works due to the vulnerability in SolarView Compact confi_mail.php component, which fails to adequately sanitize the user-supplied input data, leading to command injection.
Jul 5, 2023
Severity: medium
Apache RocketMQ Remote Command Execution Vulnerability
Attack Type: Vulnerability Exploitation
Effect: RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands or by forging the RocketMQ protocol content. CVE-2023-33246 is reportedly being exploited in the wild. Additionally, proof-of-concept (PoC) code is publicly available.
Jun 22, 2023
Severity: high
VMware Aria Operations for Networks Command Injection Vulnerability
Attack Type: Vulnerability Exploitation
Effect: VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution. According to the vendor advisory, the vulnerability has been seen exploited in the wild.
Jun 21, 2023
Severity: medium
TP-Link Archer AX-21 Command Injection Vulnerability
Attack Type: A command injection vulnerability exists in TP-Link Archer AX21 (AX1800)
Effect: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the "Country" field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet.
Jun 20, 2023
Severity: critical
MOVEit Transfer Vulnerability
Attack Type: MOVEit Transfer Vulnerability
Effect: MOVEit transfer provides secured transfer between enterprises by encrypting files at rest and during transfer, also providing management tools and visibility for monitoring the data flow. This attack can lead an unauthorized user to gain unauthorized access to MOVEit Transfer's database.
Jun 14, 2023
Severity: high
Router Malware Attack
Attack Type: Highly targeted router vulnerability
Effect: Various older router vulnerabilities are still being exploited in the wild to distribute malware such as MooBot Malware, Lucifer Malware, BotenaGo Botnet, Zerobot Malware, Enemybot Malware.
Jun 6, 2023
Severity: high
Zyxel Multiple Firewall Vulnerabilities
Attack Type: OS command injection vulnerability
Effect: Zyxel devices have been affected by multiple critical vulnerabilities. The attacker has been seen deploying Mirai like botnet inducing denial of service conditions. One of the vulnerabilities allows unauthenticated attackers to execute OS commands remotely and has a publicly available PoC.
Jun 1, 2023
Severity: high
CosmicEnergy Malware
Attack Type: Alleged Russian CosmicEnergy Malware
Effect: Designed to disrupt electric power systems, this malware is capable of interacting with the devices responsible for managing power grids leading to potential power outages. Europe, Middle East, and Asia potentially affected.
May 11, 2023
Severity: high
Active Exploitation of Multiple Vendor Camera System Attack
Attack Type: Active exploitation of vulnerabilities in camera systems
Effect: Successful attacks can result in system compromise, arbitrary system commands execution or file disclosure, and bypass authentication to obtain administrative access.
May 8, 2023
Severity: high
Oracle WebLogic Server Vulnerability
Attack Type: This vulnerability allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server
Effect: Successful attacks of this vulnerability can result in unauthorized access to critical data on the Oracle WebLogic Server and the confidentiality impact of the vulnerability is rated as "High".
May 1, 2023
Severity: high
DVR Authentication Bypass Vulnerability
Attack Type: Detection spike in DVR Authentication Bypass Vulnerability
Effect: This indicates that attackers tried to exploit the vulnerability potentially resulting in attackers gaining unauthorized access to vulnerable DVR devices.
Apr 26, 2023
Severity: medium
ThinkPHP Remote Code Execution Vulnerability
Attack Type: ThinkPHP RCE Vulnerabilities (CVE-2019-9082, CVE-2018-20062) Actively Exploited in the Wild
Effect: A remote code execution vulnerability exists within multiple subsystems of ThinkPHP 5.0.x and 5.1.x. The FortiGuard Labs continue seeing high exploitation attempts of these old vulnerabilities of more than 50,000 IPS device detections per day. There are multiple actors abusing this flaw to...
Apr 26, 2023
Severity: medium
PaperCut MF/NG Improper Access Control Vulnerability
Attack Type: PaperCut Remote Code Execution Vulnerability (CVE-2023–27350) Exploited in the Wild
Effect: An unauthenticated attacker can perform a Remote Code Execution (RCE) on a vulnerable PaperCut Application Server. According to the vendor, the specific flaw exists within the SetupCompleted class and could be achieved remotely without authentication. PaperCut MF/NG Improper Access Control...
Apr 21, 2023
Severity: medium
Zoho ManageEngine RCE Vulnerability
Attack Type: Multiple Zoho ManageEngine products exploited in the wild
Effect: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus, Password Manager Pro and ADSelfService Plus, allow remote code execution due to the usage of an outdated third party dependency, Apache Santuario. Successful exploitation could lead to remote code execution and evidence of...
Apr 20, 2023
Severity: medium
IBM Aspera Faspex Code Execution Vulnerability
Attack Type: Vulnerability
Effect: IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Apr 19, 2023
Severity: medium
VM2 Sandbox Escape Vulnerability
Attack Type: Critical flaws in a widely used JavaScript sandbox library
Effect: vm2 is a sandbox solution that can run untrusted code with whitelisted Node's built-in modules. Exploiting the flaws, threat actors can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Mar 30, 2023
Severity: critical
3CX Supply Chain Attack
Attack Type: Signed 3CX desktop app reportedly used in a supply chain attack
Effect: Digitally signed 3CX desktop app is used in a supply chain attack against 3CX VOIP customers. A previously unknown infostealer was deployed to the victims at the end of the infection chain. At this time, Windows and MacOS versions were reportedly trojanized.
Sep 30, 2022
Severity: critical
Microsoft Exchange 0-day
Attack Type: Vulnerability Exploitation
Effect: Two critical zero-day vulnerabilities (CVE-2022-41082 and CVE-2022-41040) that can allow the attacker to do a Remote Code Execution (RCE) on Microsoft Exchange Servers.
Jun 4, 2022
Severity: medium
Confluence Vulnerability
Attack Type: Vulnerability Exploitation Leading to Remote Code Execution
Effect: A critical 0-day vulnerability on Atlassian Confluence Data Center and Server is actively being exploited in the wild. The vulnerability is established via the Object Graph Navigation Language (OGNL) injection that allows an unauthenticated user to execute arbitrary code.
Jun 1, 2022
Severity: high
Follina: MSDT 0-day
Attack Type: Vulnerability Exploitation
Effect: This vulnerability (CVE-2022-30190) is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild. More attacks are expected as Proof-of-Concept code is available and a patch has not yet been released.
Dec 9, 2021
Severity: critical
Log4j
Attack Type: Vulnerability Exploitation Leading to Remote Code Execution
Effect: A zero-day vulnerability was discovered in Log4j, a Java-based logging utility that is part of Apache Logging Services Project. Deployed on millions of servers, this vulnerability can be exploited to allow for remote code execution and total system control on vulnerable systems.
Jul 1, 2021
Severity: high
Kaseya VSA
Attack Type: Vulnerability Exploitation and REvil Ransomware-as-a-Service
Effect: A sophisticated supply-chain ransomware attack that leveraged a vulnerability in the Kaseya VSA software to infect multiple managed service providers (MSPs) and their customers. We provide Outbreak Alert analyses for both the initial exploitation and the subsequent ransomware attack.
Jun 30, 2021
Severity: high
Microsoft Print Spooler
Attack Type: Vulnerability Exploitation
Effect: A potentially new zero-day Microsoft vulnerability, dubbed "PrintNightmare," makes it possible for any authenticated attacker to remotely execute code with SYSTEM privileges on any machine that has the Windows Print Spooler service enabled (which is the default setting).
May 6, 2021
Severity: high
Colonial Pipeline
Attack Type: Ransomware
Effect: Operation Technology (OT) Attack. These actions temporarily halted all pipeline operations and affected some of their IT systems, causing gas shortages and taking weeks to recover.
Mar 10, 2021
Severity: high
F5 Big IP
Attack Type: Vulnerability Exploitation
Effect: F5 reported several new vulnerabilities under attack that could lead to complete system compromise. F5 urged immediate upgrades.
Jan 6, 2021
Severity: high
Microsoft Exchange
Attack Type: Vulnerability Exploitation and DearCry Ransomware
Effect: The original Zero-Day vulnerabilities were exploited and used by the HAFNIUM group for the global Ransomware campaign
Dec 15, 2020
Severity: high
SolarWinds
Attack Type: Hack (Sunburst, Teardrop, Raindrop malware
Effect: A complex & targeted supply chain cyber attack, with the primary goal of inserting a malicious backdoor into trusted (signed) software, which could later be exploited in end-customer updates of the SolarWinds Orion platform.
