FortiGuard Labs | FortiGuard Center - Outbreak Alerts

ConnectWise ScreenConnect Attack

Threat actors including ransomware gangs are seen exploiting newly discovered critical flaws in remote monitoring and management software called ScreenConnect.

Outbreak Alert- Annual Report 2023

FortiGuard Labs published a total of 38 Outbreak Alerts in the year 2023 comprising of 23 Significant Vulnerabilities, 8 Targeted Attack Campaigns, 4 OT/IoT Threats and 3 Malware related Threats. Read the full Annual Report to review the observed significant threats in 2023 and on-going.

Ivanti Connect Secure and Policy Secure Attack

Widespread exploitation of zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways underway.

Androxgh0st Malware Attack

FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks

Adobe ColdFusion Access Control Bypass Attack

FortiGuards labs observed extremely widespread exploitation attempts relating to security bypass vulnerabilities in Adobe ColdFusion. Successful exploitation could result in access of the ColdFusion Administrator endpoints.

Microsoft SharePoint Server Elevation of Privilege Vulnerability

CVE-2023-29357 is an authentication bypass vulnerability, which means that adversaries may use it to escalate privileges on affected installations of Microsoft SharePoint Server. If the user is a privileged account, such as an administrator, the attacker will gain elevated privileges.

JetBrains TeamCity Authentication Bypass Attack

Multiple Threat actors seen exploiting the authentication bypass flaw in JetBrains TeamCity that could lead to remote code execution. If compromised, they can access a TeamCity server, gaining entry to a software developer's source code, signing certificates, and the power to manipulate software building and deployment procedures. This access could also be misused by these malicious actors to carry out supply chain operations.

Lazarus RAT Attack

A new campaign conducted by the Lazarus Group is seen employing new DLang-based Remote Access Trojans (RATs) malware in the wild. The APT groups has been seen to target manufacturing, agricultural and physical security companies by exploiting the Log4j vulnerability and using it for initial access leading to a C2 (command and control) channel with the attacker.

Apache ActiveMQ Ransomware Attack

Ransomware attackers are targeting servers running outdated and vulnerable versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604).

Citrix Bleed Attack

CVE-2023-4966 is being widely exploited, with multiple threat actors, including ransomware groups, targeting internet-accessible NetScaler ADC and Gateway instances. After exploiting CVE-2023-4966, the attackers may engage in network reconnaissance, stealing account credentials and moving laterally via RDP.

Cisco IOS XE Web UI Attack

Active exploitation of a previously unknown vulnerabilities in the Web User Interface (Web UI) of Cisco IOS XE software when exposed to the internet or untrusted networks. According to open source articles, thousands of vulnerable devices have been compromised.

HTTP/2 Rapid Reset Attack

A newly identified Distributed Denial-of-Service (DDoS) attack technique is used in the wild. This DDoS attack, known as 'HTTP/2 Rapid Reset', leverages a flaw in the implementation of protocol HTTP/2.

Google Chromium WebP Vulnerability

The Google Chromium WebP heap buffer overflow vulnerability has been actively been exploited in the wild. The exploitation of the vulnerability is through a crafted image that can impact the affected applications to crash or lead to arbritrary code execution.

Agent Tesla Malware Attack

FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access by exploiting vulnerabilities Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802. The Agent Tesla core module can collect sensitive information from the victim's device that may include the saved credentials, keylogging information, and device screenshots..

Zoho ManageEngine RCE Vulnerability

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus, Password Manager Pro and ADSelfService Plus, allow remote code execution due to the usage of an outdated third party dependency, Apache Santuario. Successful exploitation could lead to remote code execution and evidence of exploitation in the wild by Advanced Persistent Threat (APT) Groups.

Apache RocketMQ Remote Command Execution Vulnerability

RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands or by forging the RocketMQ protocol content. CVE-2023-33246 is reportedly being exploited in the wild. Additionally, proof-of-concept (PoC) code is publicly available.

Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilities

FortiGuard Labs continue to see cyber-attacks targeting to exploit the ColdFusion vulnerability CVE-2023-26360. Blocking over multiple hundreds of attacks over the last weeks.

Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability

Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability (CVE-2023-35078) that allows unauthenticated access to specific API paths and a path traversal vulnerability (CVE-2023-35081). An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.

Zyxel Router Command Injection Attack

A command injection vulnerability (Zyxel P660HN-T1A v1) in the Remote System Log forwarder function of firmware version 3.40 (ULM.0) b3 could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.

Zyxel Multiple Firewall Vulnerabilities

Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC).
Distributed by