Critical RCE flaw discovered in Fortinet FortiGate firewalls
Fortinet has released these patches to address a critical security flaw in its FortiGate firewalls that could lead to remote code execution. Lexfo Security researcher Charles Fol, who co-discovered and reported the flaw with Dany Bach, said in a tweet over the weekend, that the vulnerability, tracked as CVE-2023-27997, is “reachable pre-authentication, on every SSL VPN appliance.” French cybersecurity company Olympe Cyberdefense, in a separate alert, said the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5, noting, “the flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated.”
BatCloak engine makes malware fully undetectable
Researchers at Trend Micro describe this undetectable malware obfuscation engine as giving threat actors “the ability to load numerous malware families and exploits with ease through highly obfuscated batch files.” Active since September 2022, the researchers added that almost 80% of the total 784 artifacts unearthed have no-detection across all security solutions. The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface (AMSI) as well as compress and encrypt the primary payload to achieve heightened security evasion.
Swiss Government targeted by series of cyberattacks
Last week, the Swiss government was investigating a ransomware attack on Xplain, a Swiss software vendor with ties to multiple government agencies, including the Swiss army, the Federal Office of Police (Fedpol) and the national railway company (FSS). That attack was attributed to the Play ransomware group, believed to be based in Russia. Yesterday, the websites of several Swiss federal agencies and state-linked companies became inaccessible due to a DDoS attack claimed by NoName, a pro-Russia threat group specializing in such attacks against Ukrainian and European organizations.
Thanks to this week’s episode sponsor, Conveyor
With accuracy far superior to other tools, you can spend almost zero time reviewing generated answers. There’s also a browser extension for complex portals and other scary questionnaires. Best part is, it actually works. Try a free proof of concept with your own data to see it in action. You won’t be disappointed. Learn more at www.conveyor.com
More vulnerabilities found in MOVEit file transfer software
Progress Software, in its search to resolve the ransomware attack against its MOVEit file transfer suite, have discovered more issues that the company said could be used to stage additional exploits. The discovery was made by cybersecurity firm Huntress, which Progress had hired to conduct a detailed code review of its systems. The newly discovered exploits are distinct from the issue reported earlier, and as such another patch for MOVEit Transfer and MOVEit Cloud has been issued. At present there is no description of the newfound vulnerabilities. A CVE number (or numbers) should be declared shortly.
Confidential data downloaded from UK regulator Ofcom in cyberattack
In a related story, Britain’s communications regulator Ofcom has announced the theft of confidential information that it held regarding companies under its purview. This has been attributed to a vulnerability in the MOVEit file transfer tool. “A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack,” a spokesperson said. It is not known how many companies globally have been affected by the hacking campaign.
Last week in ransomware
The MOVEit Transfer data-theft attacks dominated last week’s ransomware news – in addition to Ofcom just mentioned, other organizations currently known to have been affected include: the BBC, Irish airline Aer Lingus, British retailer Boots, British Airways, the University of Rochester, the Government of Nova Scotia, Extreme Networks, the state of Illinois, the Minnesota Department of Education (MDE). Last week also saw the emergence of the new BlackSuit encryptor, thought to belong to the Royal ransomware group. New ransomware variants called Cyclops and Xollam emerged. Rhysida’s ransomware attack on the Chilean army has seen an Army corporal arrested for alleged involvement. There was also an attack on Japanese pharmaceutical company Eisai and Australia’s largest commercial law firm, HWL Ebsworth, refusing to give into ALPHV’s extortion demands. Listeners interested in observing an impressive family tree of ransomware operations created by CERT Orange Cyberdefense threat intelligence researcher Marine Pichon can check it out here.