The vulnerability–tracked as CVE-2023-27997–is a heap-based overflow flaw that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests, says the Sunnyvale, Calif.-based firewall and endpoint security firm.

According to Fortinet, its Product Security Incident Response Team, following a previous incident from January also impacting FortiOS SSL VPN with exploitation, initiated a code audit of the SSL-VPN module, leading to the identification of issues that have been remediated in the company’s patch.

The investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases.”

In the company’s blog, Fortinet says the attacks mimic the activity of Volt Typhoon, a suspected China-sponsored hacking group that has been targeting critical infrastructure organization. However, Fortinet doesn’t go as far to link exploitation of the vulnerability to that group, but does expect Volt Typhoon and other threat actors to leverage the bug in unpatched software and devices.

FortiGate devices were identified by the U.S. National Security Agency as being targeted by Volt Typhoon as an initial intrusion vector.

Organizations should apply the patch immediately. If they aren’t able to do so, disabling SSL-VPN is a legitimate workaround, the company says.

These devices and other SSL VPN products from Citrix, Pulse Secure and others have been popular targets in recent years, says Satnam Narang, senior staff research engineer at vulnerability management firm Tenable.

According to Narang, these flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices.

“SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” Narang says. “They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work.”

Narang adds that pre-authentication bugs like CVE-2023-27997 are especially valuable to remote attackers because they don’t need to have valid credentials.

“Despite patches being available, the inherent value of the flaw remains significant, considering the ongoing success threat actors achieve by exploiting known, unpatched vulnerabilities,” Narang says. “It’s not a question of ‘if’, but rather ‘when’ a public proof-of-concept exploit for this flaw is made public, that we can expect more widespread scanning and exploitation of vulnerable assets.”

The post Patch FortiGate SSL-VPN Devices Immediately appeared first on My TechDecisions.

According to the company’s FortiGuard Labs Threat Landscape report for the first half of 2022, there were 10,666 new ransomware variants observed, compared to just 5,400 in the second half of 2021. Ransomware groups are using those subscription-based models—similar to how cloud-based software and services are consumed today—to achieve a quick payday, the report says.

In addition to a surge of wipers and destructive malware and operational technology vulnerabilities continuing to be prime targets for attackers, 2022 is on pace to be another record year for zero-day vulnerabilities, Fortinet’s report says, with 72 zero days discovered in the first half of the year.

From the beginning of 2020 to June 2022, the average number of zero-day bugs Fortinet published every six months has risen consistently, with others reporting similar trends.

Citing Google researchers, Fortinet says more than two-thirds of the flaws discovered in 2021 were tied to popular and well-known vulnerability classes, such as memory corruption issues, with the rest primarily stemming from logic and design vulnerabilities.

The report dives into a handful of such vulnerabilities discovered in 2022:

The first half of 2022 served up several examples of such vulnerabilities. One was “MSDT Follina,” a remote code execution vulnerability in the Microsoft Support Diagnostic Tool (CVE-2022-30190). It gave attackers a trivially easy way to compromise systems via Office documents. Security researchers reported several threat actors – including nation-state-based groups – exploiting the flaw in data-theft campaigns and dropping ransomware such as Qakbot on target networks.

CVE-2022-24521, Microsoft Windows’ Common Log File System (CLFS) driver, was another major 0-day bug in H1, 2022. Microsoft issued a fix for the vulnerability in April after researchers from the US National Security Administration (NSA). Another 0-days that garnered attention in 1H, 2022 was CVE-2022-26134, an unauthenticated code execution vulnerability in Atlassian’s Confluence Server and Data Center technology. Attackers exploited this vulnerability to drop web shells, ransomware, and cryptominers on vulnerable systems. And CVE-2022-26925, a spoofing vulnerability in Microsoft Local Security Authority (LSA) function, gave threat actors a way to force domain controllers to authenticate to them.

The report also touches on Log4Shell, saying the vulnerability is by far the most exploited vulnerability in the first half of 2022. Although exploits may not have reached the peaks that were expected, advanced threat actors are making use of it to target U.S. government systems.

Piggybacking on a Cyber Safety Review Board report that suggests Log4Shell will remain an endemic vulnerability for years, Fortinet says the bug will remain in ots top charts for a long time.

“Since the vulnerability is found in so many fundamental systems, it can be extremely difficult to update one system without breaking other parts of the system in the process. Cybercriminals will exploit anything and everything that can get them the initial access to the data or action they desire to achieve. We’ll most likely continue to see Log4j on our “top” charts for a long time. This is an excellent testament to the importance of vulnerability assessments and active and virtual patching,” the company says in the report.

Read the report for other findings, including the rising use of defense evasion techniques.

The post Ransomware, Zero-Day Vulnerabilities On the Rise appeared first on My TechDecisions.

The list, published in a joint cybersecurity advisory between U.S., UK, Australian, Canadian and New Zealand agencies, includes many vulnerabilities IT professionals should already be familiar with, including Log4Shell, ProxyShell, ProxyLogon, ZeroLogon and other unnamed vulnerabilities impacting common IT products.

According to the advisory, agencies observed malicious actors routinely exploiting these vulnerabilities in 2021, and several of them were also routinely exploited in 2020, suggesting that the continued exploitation indicates that many organizations are still behind when it comes to patching software to protect against security vulnerabilities.

In fact, four of the top 15 most exploited vulnerabilities are at least two years old, including one each from 2019 and 2018.

Other bugs noted that didn’t make the top 15 include several from 2020 and prior, such as a pair of 2017 Microsoft Office remote code execution bugs and a remote arbitrary code execution bug in Cisco IOS and IOS XE. Others from 2021 include the Windows Print Spooler remote code execution bug known as PrintNightmare and flaws impacting products from VMWare, SonicWall, Accellion, Pulse Secure and others.

The advisory of the most exploited vulnerabilities from last year urges organizations to:

• Update their systems as soon as possible or implement vendor-approved workarounds.
• Use a centralized patch management system.
• Replace end-of-life software that is no longer supported by the vendor.
• Outsourcing patching and scanning to a cloud service provider or managed service provider in the case of limited IT manpower.
• Harden IT environments by introducing multi-factor authentication, regularly review privileged accounts, implement a policy of least privilege, configure networks securely, segment networks, monitor for malicious activity and more.

To learn about the 15 bugs listed, click “View slideshow” at the top left just above the main image, or here.

For more information on known exploited vulnerabilities, view CISA’s catalog of (as of April 28) more than 650 bugs that are being actively exploited.

The post Make Sure These 15 Most Exploited Vulnerabilities From 2021 Are Patched appeared first on My TechDecisions.