PHP RCE Attack
FortiGuard Labs has observed significant level of exploitation attempts targeting the new PHP vulnerability. The TellYouThePass ransomware gang has been leveraging CVE-2024-4577, a remote code execution vulnerability in PHP to deliver web shells and deploy ransomware on targeted systems. |
Check Point Quantum Security Gateways Information Disclosure Attack
Attackers exploit a zero-day vulnerability affecting Check Point Security Gateways to gain remote access. The vulnerability can allow attackers to read sensitive information on Check Point Security Gateways enabled with remote Access VPN or Mobile Access Software Blades. |
D-Link Multiple Devices Attack
Multiple D-link device vulnerabilities are being actively targeted. Many of the Routers and NAS devices are end-of-life (EOL) D-Link devices that do not have any patches available. |
Black Basta Ransomware
A new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reveals that Black Basta affiliates have attacked 12 of the 16 critical infrastructure sectors, including healthcare organizations. |
PAN-OS GlobalProtect Command Injection Vulnerability
The attack on PAN-OS GlobalProtect devices identified as CVE-2024-3400 allows a malicious actor to remotely exploit an unauthenticated command injection vulnerability that leads to remote code execution. Once established, the attacker can further collect configurations, deliver malware payloads and move laterally and internally. |
Akira Ransomware
FortiGuard Labs continue to observe detections in the wild related to the Akira ransomware group. According to the new report by CISA it has targeted over 250 organizations since the past year, affecting numerous businesses and critical infrastructure entities across North America, Europe, and Australia. The gang has made over $42 million from the attacks as ransom payments. |
Sunhillo SureLine Command Injection Attack
The attack on Sunhillo SureLine identified as CVE-2021-36380 allows a malicious actor to exploit an unauthenticated OS Command Injection vulnerability. Once established, the attacker can gain command over the targeted system and potentially achieving full system compromise.
|
Nice Linear eMerge Command Injection Vulnerability
The vulnerability tracked as CVE-2019-7256 affecting an access control system called Linear eMerge E3-Series is affected by an OS command injection flaw that could allow an attacker to cause remote code execution and full access to the system. |
ConnectWise ScreenConnect Attack
Threat actors including ransomware gangs are seen exploiting newly discovered critical flaws in remote monitoring and management software called ScreenConnect.
|
Outbreak Alert- Annual Report 2023
FortiGuard Labs published a total of 38 Outbreak Alerts in the year 2023 comprising of 23 Significant Vulnerabilities, 8 Targeted Attack Campaigns, 4 OT/IoT Threats and 3 Malware related Threats. Read the full Annual Report to review the observed significant threats in 2023 and on-going. |
Androxgh0st Malware Attack
FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks |
Adobe ColdFusion Access Control Bypass Attack
FortiGuards labs observed extremely widespread exploitation attempts relating to security bypass vulnerabilities in Adobe ColdFusion. Successful exploitation could result in access of the ColdFusion Administrator endpoints. |
Lazarus RAT Attack
A new campaign conducted by the Lazarus Group is seen employing new DLang-based Remote Access Trojans (RATs) malware in the wild. The APT groups has been seen to target manufacturing, agricultural and physical security companies by exploiting the Log4j vulnerability and using it for initial access leading to a C2 (command and control) channel with the attacker. |
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2023-29357 is an authentication bypass vulnerability, which means that adversaries may use it to escalate privileges on affected installations of Microsoft SharePoint Server. If the user is a privileged account, such as an administrator, the attacker will gain elevated privileges. |
JetBrains TeamCity Authentication Bypass Attack
Multiple Threat actors seen exploiting the authentication bypass flaw in JetBrains TeamCity that could lead to remote code execution. If compromised, they can access a TeamCity server, gaining entry to a software developer's source code, signing certificates, and the power to manipulate software building and deployment procedures. This access could also be misused by these malicious actors to carry out supply chain operations. |
Apache ActiveMQ Ransomware Attack
Ransomware attackers are targeting servers running outdated and vulnerable versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604). |
Citrix Bleed Attack
CVE-2023-4966 is being widely exploited, with multiple threat actors, including ransomware groups, targeting internet-accessible NetScaler ADC and Gateway instances. After exploiting CVE-2023-4966, the attackers may engage in network reconnaissance, stealing account credentials and moving laterally via RDP. |
Cisco IOS XE Web UI Attack
Active exploitation of a previously unknown vulnerabilities in the Web User Interface (Web UI) of Cisco IOS XE software when exposed to the internet or untrusted networks. According to open source articles, thousands of vulnerable devices have been compromised. |
|