Sophisticated attackers are using a recent CVE vulnerability patched by FortiOS earlier this month to target government and large organizations. The patch for CVE-2022-41328 was released by Fortinet on March 7th for what FortiOS called a high-severity security vulnerability (CVE-2022-41328) that allows attackers to execute unauthorized code or commands.
In a report last week Fortinet revealed that a hack on one of its customers caused all of their FortiGate devices to begin shutting down at the same time, with “System enters error-mode due to FIPS error: Firmware Integrity self-test failed” messages and they failed to boot again. The FIPS-enabled devices verify the integrity of system components and if an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network.
The FortiGate firewalls were breached via a FortiManager device on the victim’s network and appeared to have been hacked using the same tactics. The investigation showed that the attackers modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.
“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said.
The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.
“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”
Horizon3.ai Exploit Developer James Horseman had this to say:
“The level of sophistication demonstrated in this attack indicates that the attackers have a deep understanding of FortiOS, which suggests that they have considerable resources and expertise at their disposal. This is likely a targeted attack, as indicated by Fortinet’s statement that there are “hints of preferred governmental or government-related targets.”
“It is worth noting that the writeup from Fortinet does not provide information on how the attackers gained initial access, which is a crucial part of understanding the full scope of the attack. While CVE-2022-41328 allows for the execution of unauthorized code or commands, it requires privileged access. This suggests that the attackers either obtained credentials for the FortiGate/FortiManager devices or used another exploit to gain remote code execution. It is also possible that the attackers used an undisclosed 0-day to gain initial access.
“Given the severity of the vulnerability and the potential for the attackers to have gained privileged access to the targeted systems, organizations that use FortiOS should take immediate steps to patch the vulnerability and monitor their systems for any suspicious activity. Additionally, it is important to stay informed about any new developments in this attack to understand its full impact and how the attackers were able to again initial access.”
David Maynor, Senior Director of Threat Intelligence, Cybrary follows up with this comment:
“Fortinet has turned into the Ground Hog Day of vulnerabilities.”
What he’s referencing is that this isn’t the first go round with vulnerabilities related to Fortinet products:
In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.
Thus I suspect that enterprises that own Fortinet gear may be thinking twice about having it on their networks.
Investment Fraud is Now Top Cybercrime Earner: Internet Crime Report
Posted in Commentary with tags Cybercrime on March 14, 2023 by itnerdAccording to the 2022 Internet Crime Report compiled by the IC3, at $3.3 billion, Investment Fraud is now the top-earning cybercrime category, surpassing business email compromises in 2022, according to the FBI. Furthermore, the Bureau said the increase was mainly a result of criminals spoofing legitimate business phone numbers to confirm fraudulent banking details with their victims.
Global consumers and businesses filed throughout 2022:
• $10.3bn total cybercrime losses (up 49% yoy)
• 801,000 complaints (down 46,000 yoy)
• $3.31bn total Investment fraud (up 127% yoy)
• $806.6m total Tech support fraud (up 132% yoy)
• $2.7bn total BEC fraud (up 14% yoy)
• 300,000 phishing complaints (down 7% yoy but still the most popular form)
The report also noted that while 2,385 complaints about ransomware were reported last year, estimating losses at $34.4m, the loss figures do not represent the full scale of the financial burden placed on organizations. Also, many ransomware breaches go unreported and loss estimates do not include lost business, time, wages, files, equipment or third-party remediation services used by victims.
Monti Knode, Director of Customer Success, Horizon3.ai had this to say:
“The SVB collapse is a perfect storm for both Investment fraud and BEC — the top two losses categories from the IC3.
“Right now, thousands of tech companies are moving their money, but even more fragile is the fact that they are messaging with their customers and reestablishing invoicing and payments. This is creating confusion and opens up opportunity for attackers to pose and prey on unwitting customers.
“Tech companies caught up in the SVB collapse will need to be extremely diligent and get personal with their customer base to maintain trust during this tough time, or a customer may quickly attribute the moniker of “threat” to their vendor, and that’s nowhere anyone wants to be.”
This dovetails into a story that I put up yesterday saying that I expect attacks that are leveraging the failure of SVB. Given the numbers in this report, we could start seeing those attacks at any time. Never mind all the usual cybercrime that we see now. And that’s going to cost us all a lot of money.
Leave a comment »