FortiGuard Labs | FortiGuard Center - Outbreak Alerts

Ivanti Connect Secure and Policy Secure Attack

Widespread exploitation of zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways underway.

PHP RCE Attack

FortiGuard Labs has observed significant level of exploitation attempts targeting the new PHP vulnerability. The TellYouThePass ransomware gang has been leveraging CVE-2024-4577, a remote code execution vulnerability in PHP to deliver web shells and deploy ransomware on targeted systems.

Check Point Quantum Security Gateways Information Disclosure Attack

Attackers exploit a zero-day vulnerability affecting Check Point Security Gateways to gain remote access. The vulnerability can allow attackers to read sensitive information on Check Point Security Gateways enabled with remote Access VPN or Mobile Access Software Blades.

D-Link Multiple Devices Attack

Multiple D-link device vulnerabilities are being actively targeted. Many of the Routers and NAS devices are end-of-life (EOL) D-Link devices that do not have any patches available.

Black Basta Ransomware

A new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reveals that Black Basta affiliates have attacked 12 of the 16 critical infrastructure sectors, including healthcare organizations.

C-DATA Web Management System RCE Attack

FortiGuard Labs observed a critical level of attack attempts in the wild targeting a 2-year-old vulnerability found on C-DATA Web Management System.

PAN-OS GlobalProtect Command Injection Vulnerability

The attack on PAN-OS GlobalProtect devices identified as CVE-2024-3400 allows a malicious actor to remotely exploit an unauthenticated command injection vulnerability that leads to remote code execution. Once established, the attacker can further collect configurations, deliver malware payloads and move laterally and internally.

Akira Ransomware

FortiGuard Labs continue to observe detections in the wild related to the Akira ransomware group. According to the new report by CISA it has targeted over 250 organizations since the past year, affecting numerous businesses and critical infrastructure entities across North America, Europe, and Australia. The gang has made over $42 million from the attacks as ransom payments.

Sunhillo SureLine Command Injection Attack

The attack on Sunhillo SureLine identified as CVE-2021-36380 allows a malicious actor to exploit an unauthenticated OS Command Injection vulnerability. Once established, the attacker can gain command over the targeted system and potentially achieving full system compromise.

Nice Linear eMerge Command Injection Vulnerability

The vulnerability tracked as CVE-2019-7256 affecting an access control system called Linear eMerge E3-Series is affected by an OS command injection flaw that could allow an attacker to cause remote code execution and full access to the system.

ConnectWise ScreenConnect Attack

Threat actors including ransomware gangs are seen exploiting newly discovered critical flaws in remote monitoring and management software called ScreenConnect.

Outbreak Alert- Annual Report 2023

FortiGuard Labs published a total of 38 Outbreak Alerts in the year 2023 comprising of 23 Significant Vulnerabilities, 8 Targeted Attack Campaigns, 4 OT/IoT Threats and 3 Malware related Threats. Read the full Annual Report to review the observed significant threats in 2023 and on-going.

Androxgh0st Malware Attack

FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks

Adobe ColdFusion Access Control Bypass Attack

FortiGuards labs observed extremely widespread exploitation attempts relating to security bypass vulnerabilities in Adobe ColdFusion. Successful exploitation could result in access of the ColdFusion Administrator endpoints.

Lazarus RAT Attack

A new campaign conducted by the Lazarus Group is seen employing new DLang-based Remote Access Trojans (RATs) malware in the wild. The APT groups has been seen to target manufacturing, agricultural and physical security companies by exploiting the Log4j vulnerability and using it for initial access leading to a C2 (command and control) channel with the attacker.

Microsoft SharePoint Server Elevation of Privilege Vulnerability

CVE-2023-29357 is an authentication bypass vulnerability, which means that adversaries may use it to escalate privileges on affected installations of Microsoft SharePoint Server. If the user is a privileged account, such as an administrator, the attacker will gain elevated privileges.

JetBrains TeamCity Authentication Bypass Attack

Multiple Threat actors seen exploiting the authentication bypass flaw in JetBrains TeamCity that could lead to remote code execution. If compromised, they can access a TeamCity server, gaining entry to a software developer's source code, signing certificates, and the power to manipulate software building and deployment procedures. This access could also be misused by these malicious actors to carry out supply chain operations.

Apache ActiveMQ Ransomware Attack

Ransomware attackers are targeting servers running outdated and vulnerable versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604).

Citrix Bleed Attack

CVE-2023-4966 is being widely exploited, with multiple threat actors, including ransomware groups, targeting internet-accessible NetScaler ADC and Gateway instances. After exploiting CVE-2023-4966, the attackers may engage in network reconnaissance, stealing account credentials and moving laterally via RDP.

Cisco IOS XE Web UI Attack

Active exploitation of a previously unknown vulnerabilities in the Web User Interface (Web UI) of Cisco IOS XE software when exposed to the internet or untrusted networks. According to open source articles, thousands of vulnerable devices have been compromised.

Distributed by