The Need to Know: Black Basta Ransomware Gang

/in /by

By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research

Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group

Discovery of Ransomware Gang FIN7

I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.

Black Basta Ransomware Gang Emerges

Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.

While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.

A Political Big Brother: Russia

Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.

FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.

Ransomware Tactics Used

Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.

While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.

Now What? CIS Controls to Implement

It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.

The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:

CIS Security Controls

  • CIS Control 7: Continuous Vulnerability Management (CVM)
    • CVM covers one of the 18 controls by closing the gaps between significantly reducing risk and security assessments. Managing vulnerabilities and understanding is a continuous activity requiring the focus of resources, time, and attention. CVM assesses and tracks vulnerabilities on all enterprise assets within the infrastructure. It minimizes and remediates the window of opportunity for cybercriminals.
  • CIS Control 8: Audit Log Management
    • Audit log management is the process of recording any activity used across an organization within the software systems. Audit logs document any occurrence of an event, the impacted entity, when it occurred, and who is responsible. In addition, compliance regulations require logs to be kept for a certain amount of time. Ensuring organizations collect, review, retain, and alert audit logs of events helps recover from an attack quicker.
  • CIS Control 14: Proactive Security Awareness
    • Employees are every organization’s first line of defense. It is critical to arm them with the proper knowledge and skills to properly identify and report any suspicious activity. A Proactive Security Awareness Program empowers employees with the needed expertise. Security software can only defend for so long until someone clicks a malicious link- take the proactive approach.
  • CIS Control 18: Penetration Testing
    • A penetration test or ‘ethical hacking’ evaluates the security of a system by attempting to breach accessibility, integrity, or confidentiality. A test provides real-world penetration scenarios covering industry-specific threat assessments offering actionable recommendations and rapid results.

The Adlumin Advantage

As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.

The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.

Are your Security Defenses Ready?

For more information, contact one of our cybersecurity experts for a demo to get started.

Business Email Compromise Warning Signs and Defense

/in /by

By: Brittany Demendi, Corporate Communications Manager

According to recent FBI warnings, Business Email Compromise (BEC) scams are rising for organizations in the United States, naming them the $43 billion scam in 2022. Cybercriminals use these scams to ruthlessly target small to medium-sized businesses by researching and posing as vendors or employees attempting to siphon money. BEC scams do not require much sophistication, making them simple yet effective.  

This blog identifies how a BEC scam works and how an organization can better protect itself before falling victim.   

How Does a BEC Attack Work? 

Cybercrime is an evolving game, and cybercriminals adjust their strategies and tactics as security increases. BEC attacks don’t need a tradecraft or advanced tool to execute so they can be presented in many forms. Here is how a typical attack can operate and run its course: 

Research Target 

Launch Attack OR Social Engineering 

Winner, Winner 

  • Research Target: Cybercriminals research and prepare for an attack by sifting through business email databases, mining LinkedIn profiles, or even searching company websites for information. They then carefully craft an email to the targets.  
  • Launch Attack Option 1 – Phishing: Cybercriminals start their BEC attacks by sending out mass emails to see whom they can catch. During this phase, they use fake email names and look-alike domains to trick employees into thinking it’s a legitimate email and ultimately get them to click the link.  
  • Launch Attack Option 2 – Social Engineering: Cybercriminals impersonate employees, specifically CEOs, attorneys, or vendors, to build trust with the target. They typically ask for an urgent request so that the employee will act immediately.  
  • Winner, Winner: Cybercriminals make a financial gain or obtain account compromise. The cybercriminal successfully fooled the employee into believing that they were someone else.  

How to Prevent a BEC Attack 

Cybercriminals leave breadcrumbs before an actual attack occurs. In 2022, the average time to identify and contain an attack was 277 days. When you break it down, it took 207 days to identify the breach and an additional 70 days to contain it, according to IBM Report. If we can identify and contain breaches early, for example, in Phase 2, we can mitigate the financial damage and loss to an organization. The goal is to incorporate security awareness into every department, making it a part of the company culture and continuously testing the strength of your security.  

Security Culture and Human Intelligence   

Many account compromises, data breaches, and ransomware attacks could have been avoided. As an organization, you can take as many preventative measures and precautions as possible to mitigate the risk of an attack, and all it will take is a simple human error to put you at risk.  

The good news is that there are measures organizations can take, such as implementing robust, Proactive Security Awareness Training. These programs empower employees to identify and report suspicious activity as the first line of defense during Phase 2 of an attack. It’s essential that training is not one-off sessions. The program is more efficient when it is consistent training that facilitates a positive cybersecurity culture, along with testing employees’ knowledge, so they are better prepared for when an actual BEC attack occurs.  

The type of culture built at your organization directly impacts your success. For more tips, in a previous blog post, we outlined different ways to create a culture focused on security.   

Test Your Security Strength and Protection 

In addition to equipping employees with the proper knowledge, consistently testing your defenses is another proactive solution. Specifically, testing the Microsoft 365 (M365) environment will not only identify where gaps are in your protection, but it will test how your security stacks up to top tactics used to compromise accounts. Millions of organizations use M365, making it a popular target for cybercriminals mainly due to the amount of data and information they have access to when successfully compromising an account.  

Security teams often lack the proper resources to identify risk areas and test their security programs. However, the free tool, M365 BEC Simulation Tool, allows organizations to test different scenarios that can compromise accounts on their security defense. The tool will also test to see how protected they are and are a huge help against BEC and ransomware attacks.  

The free M365 BEC Simulation Tool can be highly beneficial because it tests the most common attacks cybercriminals use, such as brute force attack-to-success, logins using Tor to breach an account, and a successful login from a foreign country. In a recent blog post, we go into detail about how each one of these tactics works and what your proactive solution is against them.   

The Proactive Approach

BEC attacks are low-risk, high-reward ways cybercriminals take advantage of employees and the security gaps within an organization’s defense. With smaller businesses being the number one target for BEC scams, cybercriminals know they typically have lower budgets for security. A light at the end of the tunnel, and free tools are available to you.  

In addition, Managed Detection and Response Security Operation platforms and Managed Detection and Response (MDR) services are an extension of your security team by delivering top talent and expertise for a cost-effective rate. BEC attacks are rapidly growing and are the most financially damaging. What are you going to do to mitigate the risk?  

Test Your Defenses: New Adlumin M365 Tool

/in /by

By: Shaul Saitowitz, Data Scientist at Adlumin

Test Your Defenses – For Free

Adlumin developed a free tool that measures how organizations’ security stacks up against today’s most popular cyberattack tactics against Microsoft. Conceived by Adlumin’s cofounder and CEO, Robert Johnston, the Microsoft 365 (M365) Business Email Simulator (BEC) tool is the first of a Test Your Defenses tool series slated for the 2023 rollout.

Adlumin’s M365 BEC Simulator tool allows organizations of all sizes to test their defenses against a brute force attack-to-success on a Microsoft 365 account, login from a foreign country, and Tor usage to access your network from a randomized location. The simulation is a quick but effective test of how well your systems are being monitored. Don’t turn a blind eye to threats lurking in plain sight.

This blog will dive into the three main attack tactics cybercriminals use to access your account and how Adlumin’s M365 BEC Simulator free tool can help you see where your security gaps are.

Tactic 1: Logins Using Tor to Breach an Account

The Tor network is system cybercriminals use to facilitate anonymous communication by hiding their Internet Protocol (IP) address through private connections and encryption. There can be some legitimate users within the Tor network; however, it can also be overwhelmingly malicious due to the network’s ability to act as a smokescreen to obscure and anonymize web activity.

Cybercriminals utilize the Tor network because it covers their tracks by directing internet traffic through thousands of relay nodes. If someone is using Tor to access your network, you want to know about it. Adlumin’s M365 BEC Simulator tool tests this type of attack to see if your security holds up against it, so you can further investigate.

Tactic 2: Brute Force Attacks-to-Success

Brute force attacks are a common way for attackers to gain access to a system using a high-volume guessing of passwords until they get lucky. Adlumin’s investigation and research show automated brute force attempts are common for any login exposed to the internet. This includes services that aren’t configured, such as Microsoft Exchange Online. The potential rewards of brute force attacks are huge because a cybercriminal gains access to your account that may host confidential information or data.

The new M365 BEC Simulator tool tests a successful brute force attack to see how your security is against it.

In addition, Multi-Factor Authentication (MFA) malfunctions are a related threat and need to be reported to ensure the assessment of second-line defenses. For example, Adlumin reports MFA failure for Okta and Cisco Duo clients through a Data Science logic for identifying suspicious incidents. Even with such alerting, routine testing is required to ensure breaches don’t go unnoticed, allowing time for a hacker to explore your file system.

Tactic 3: Foreign Country Logins

Most cyberattacks come from unidentified cybercriminals or groups from all over the world. That said, most cybercriminals don’t just target individuals or organizations in their native country. Some of the most successful account logins come from unusual locations that the user is clearly not at. When your organization gets hit from an area where none of your employees work, your accounts and data are no longer safe.

The Adlumin M365 BEC Simulator tool takes care of the many tricky details of simulating such intrusion, allowing you to stress-test logins from distant shores without spending on air tickets, whether from a Mumbai high-rise or a train station in Düsseldorf.

Does Your Security Measure Up?

See how your security stacks up against top tactics used to compromise accounts. Download Adlumin’s free M365 BEC Simulation tool today, or contact one of our cybersecurity experts for a demo and more information.

The Evolving Role of the Banker in Today’s Cyber Landscape

/in /by

Register for Adlumin’s Upcoming Webinar: The Evolving Role of the Banker in Today’s Cyber Landscape

Date: January 19, 2023

Time: 1:00 PM- 1:30 PM Eastern

Attendee Link: https://adlumin.com/webinar/banker-in-todays-cyber-landscape/

Cybersecurity culture is more than just awareness. It requires employees from all departments to participate in the broader corporate culture of daily actions, encouraging them to make mindful decisions that align with security policies.

Join a panel of industry experts from Adlumin, BankTech Ventures, and Beauceron Security as they discuss top cyber threats for businesses, how easily bank employees’ emails are compromised, and how to be proactive with your security.

Key Takeaways:

  • Why you should invest in password managers for both business and personal
  • Importance of regular tabletop exercises with technical and nontechnical teams
  • How to create a cybersecurity culture across the entire organization

Navigating Strong Personalities: Effective Leadership in Cyber Crisis Management

/in /by

By: Mark Sangster, Chief of Strategy

In a cyber crisis, who makes the decisions: The senior person? The technical expert? The self-appointed hero? When it comes to effective crisis leadership, removing emotion is critical. This guide identifies six personalities that emerge during a cyber crisis and how to harness challenging styles.

You’ll learn about the following personalities:

  • The Hero
  • The Martyr
  • The Hinderer
  • The Hoarder
  • The Captain

Harness Each Personality

Everyone metabolizes stress differently. To be the most effective leader during a cyber crisis, it is important to learn how to navigate the pitfalls of the human element. Quickly identifying learning types helps team leaders and executives assign specific members to the incident response team and assign responsibilities and tasks.

Download The Ultimate Guide to Managing Strong Personalities During a Cyber Crisis to learn how to manage these personalities properly.

Battling Business Email Compromise with Cybersecurity Automation

/in /by

By: Brittany Demendi, Corporate Communications Manager

According to Security Magazine, there has been a 150% year-over-year increase in Business Email Compromise (BEC) attacks, making them the most financially damaging type of attack. When this threat is getting worse every year, it’s no surprise the FBI named BEC the “$26 billion scam.”

So, what exactly is a BEC scam, and how do we protect against them?

This blog will dive into the details of these attacks, covering how an attack works to your defense against them.

What is Business Email Compromise?

BEC is a cybercriminal phenomenon with a high risk of severe consequences. These attacks are more likely to rise, both in frequency and losses to organizations, big or small, that fall victim. BEC is a common scam where cybercriminals pose as vendors or company employees attempting to commit wire transfer fraud, among other tactics.

The FBI reported nearly $2.4 billion in adjusted losses due to BEC scams, which is reported as 49x as much as ransomware losses in 2021. These scams are simple yet effective and have become more sophisticated as prevention methods are implemented. For example, cybercriminals use a common form of phishing called domain spoofing, where they fake a website or email domain to fool the target into clicking or responding.

BEC has been known as a low-risk, high-reward way to siphon money from organizations. The FBI calls out five primary types of BEC attacks to be aware of:

  • Data Theft: Cybercriminals target human resource employees to obtain personal and confidential information about individuals within the organization, specifically executives. Cybercriminals use this information as leverage or to impersonate someone for future attacks.
  • Account Compromise: Cybercriminals gain access to an employee’s email account and use it to request money from vendors. Payments are sent to bank accounts controlled by cybercriminals.
  • Attorney Impersonation: Cybercriminals often impersonate legal representatives or lawyers over the phone. Lower-level or entry-level employees are targets for these attacks due to not knowing to question the authenticity of the request.
  • CEO Fraud: Cybercriminals position themselves as an executive or CEO of a company. Posing as a CEO, cybercriminals typically target an employee within the finance or accounting department, requesting funds to be transferred to an account controlled by the cybercriminal. Or they request sensitive information.
  • False Invoice Scheme: Cybercriminals target organizations that use foreign suppliers are the main target of this tactic. The cybercriminal impersonates the supplier requesting payments or fund transfers into an account controlled by the cybercriminals.

Techniques for Business Email Compromise: Phishing

As we have touched on in a previous blog post, phishing is an early-stage and reliable tactic used by cybercriminals to gain access to networks as a part of a more powerful attack. In other words, phishing can be used as a technique or vessel for BEC.

An example of phishing as a BEC technique is as simple as receiving an email from your IT department asking you to update your password or complete a security awareness training module. You then click the links provided in the email, not noticing the extra letter in the company email domain or the unusual URL provided.

Cybercriminals commonly use techniques like the above phishing email example to lure a potential victim into performing dangerous actions that put organizational data at risk, costing an organization a significant amount of money.

Illuminating Threats

BEC scams can be highly transactional; cybercriminals do their research targeting large corporations’ email accounts and employees who use email for daily financial transactions. From global corporations to medium and small businesses, everyone is vulnerable to BEC.

There is not one type of software or solution that can combat BEC. A suggested approach is multifaceted and multilayered, including a strategic combination of implementing cybersecurity awareness training, business email compromise simulators, behavior analytics, and multi-factor authentication.

When security teams often lack the proper resources to test their security programs, they need a tool to understand their organization’s risk to the current and evolving threats. A BEC simulator tool tests prevalent attacks while identifying areas of risk. When paired with Proactive Security Awareness, employees gain awareness and are empowered with the knowledge and skills to identify suspicious activity. While BEC simulators are testing the strength of security tools, Proactive Security Awareness uses real-life de-weaponized attack campaigns holding every employee accountable for their actions without damage to the organization.

Your Defense: Automation

BEC scams require a people-centric and automated defense that can detect, prevent, and respond to a wide range of BEC scams and phishing techniques. Automation is about leveling the playing field between cybercriminals and cybersecurity experts with the goal in mind of reducing the number of threats by eliminating vulnerabilities and risk through the prevention of identification of zero-day attacks and known cyber threats.

An automated cybersecurity solution, combined with cybersecurity experts, eliminates human error, increases agility, and reduces response time and remediation costs. In addition, security and behavior analytics assist with tracking users to ensure that an employee signing into a network is legitimate.

Email is the largest infection vector for transmitting threats, requiring a reliable solution to remain resilient. Domain authentication, email security, user awareness, and content inspectors must work together to provide the utmost protection.

2022: In Case You Missed It

/in /by

By: Brittany Demendi, Corporate Communications Manager

As we begin to wrap up 2022, we reflect and want to share with you some of the most prevalent cybersecurity topics covered this past year. From remote work to data breaches, one thing has been consistent: how hungry our readers are for cybersecurity information to improve their security posture. Cyberattacks will happen regardless of how big or small an organization is, and the better you become at educating yourself to strengthen your strategy, the better off you’ll be in the new year.

Here are five of our reader’s favorite blogs of 2022

    Remote Work Challenges

1. Remote Work and The Human Error: 3 Major Challenges

Working from home is a significant game-changer for organizations, and it doesn’t look like it is going away anytime soon. While working from home has benefits and advantages for both organizations and employees, it comes with an abundance of new cybersecurity risks that need to be accounted for. As the employees’ environment changes, so do the magnitude of threats.

In this blog, you’ll learn:

  • The number one reason for cybersecurity attacks
  •  How to help close skill gaps within the cybersecurity industry
  • What embracing the new era of digitalization looks like

Explore three of the most prominent rising challenges organizations need to look out for if they offer remote work; read more.

municipal cyber attack

2. The Rise of Municipal Cyberattacks: Becoming Proactive

Now, more than ever, municipalities are expected to meet the demanding needs of maintaining and sustaining vital sectors within our communities. Cities must do this with strict budgets and limited resources, making them vulnerable targets for cyberattacks. The best way for municipalities to protect themselves from attacks is to tighten up their cybersecurity offensive strategies.

In this blog, you’ll find:

  • Suggested solutions to mitigate cybersecurity risks
  • How Continuous Vulnerability Management can benefit municipalities
  • Why cybersecurity awareness training not only helps employees but helps organizations

We dive deep into four prevention methods municipalities should consider as they look to avoid cyberattacks and reduce the risk of financial loss; read more.

financial institution cybersecurity compliance

3. Mandatory or Not? Achieving Cybersecurity Compliance for Financial Institutions

Compliance is a challenging requirement for not only financial institutions but many organizations. So many new and evolving regulations are mandatory to safeguard data for financial institutions and customers. It is essential to follow them to ensure credibility and trustworthiness and to avoid fines and penalties for being non-compliant.

In this blog, you’ll discover:

  • Which cybersecurity regulations are mandatory vs. optional
  • A solution for taking the burden of staying compliant off your IT team plate
  • What cybersecurity regulations are out there, and what is required

Here is your cybersecurity compliance checklist for financial institutions breaking down what’s out there and what is required; read more.

most expensive data breaches in history

4. More Money, More Problems: The Most Expensive Data Breaches in History

Organizations are paying not just for the immediate repair of a data breach but the aftermath of it. Although cyberattacks are inevitable, the notion that cyberattacks are impossible to stop is one of the largest misconceptions harbored by businesses. As an organization, you have control over the steps you take to mitigate the risk of a breach.

In this blog, you’ll find out:

  • How an organization can fold after a cyberattack and prevention methods
  • The top three most expensive data breaches in history to date
  • What built-in components to look for within a managed security platform

Discover a list of the top three most expensive breaches in history, more notable breaches, and what solutions can mitigate the risk of becoming a national or global headline; read more.

Law firm vulnerabilities

5. Law Firm Vulnerabilities: Why Data Breaches and Bad Actors Strike

Law firms manage unparalleled access to valuable and confidential information, making them a one-stop shop for attracting cybercriminals. It is their responsibility to equip employees with the proper knowledge not to jeopardize clients’ reputations or information. The risk can be mitigated by consistently evaluating security posture to determine where gaps lie and if there are holes within an IT network.

In this blog, you’ll read about:

  • Cyber-threats law firms need to know about
  • What kinds of cybersecurity the American Bar Association requires from attorneys
  • How to properly equip employees and law firms to have the best cybersecurity defense and offense

This blog outlines why cybercriminals target law firms, what types of insider threats to lookout for, and how to properly equip employees for safeguarding data; read more.

Looking Forward to More Cybersecurity Discussions in 2023

As we have seen this past year, security and risk management is no longer considered ‘nice to have’ features of your cybersecurity strategy. Instead, cyber risk management has evolved into a board-level issue for organizations. With cyberattacks becoming more sophisticated and common, new laws and regulations are being passed to protect customer data, and organizations are putting cybersecurity at the core of their decisions. In the following year and beyond, we anticipate more organizations decentralizing, which changes the threat landscape and protection.

Adlumin is here to work as an extension of your IT team or be its core. We understand IT and security teams stretch thin and are here to be your command center for security operations. If you are ready to proactively protect your IT environment, set up a demo or a free trial with one of our cybersecurity experts. Or visit www.adlumin.com for more information.

New Fortinet FortiOS SSL VPN Exploit Observed in the Wild

/in /by

FortiOS Vulnerability

On December 12th, 2022, Fortinet issued a PSIRT Advisory (FG-IR-18-384)¹ for CVE-2022-42475², which identifies a heap-based buffer overflow vulnerability in the sslvpnd service leaving affected systems vulnerable to exploitation. sslvpnd is responsible for providing SSL-based VPN functionality in FortiOS devices and, if exploited, may allow for remote code execution by unauthenticated attackers on the FortiOS device.

Affected versions include devices with:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

This vulnerability has been observed being exploited in the wild since before the release of the PSIRT Advisory and patch availability. Therefore, Fortinet recommends that administrators immediately validate their system by checking the following indicators:

Exploit Log Artifacts

Successfully leveraging this exploit results in a crash of the sslvpnd daemon, which can be observed in device logs as:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Exploit System Artifacts

The presence of the following artifacts may indicate that a FortiOS device has been exploited:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Known Associated Malicious Infrastructure

The following IP Addresses and Ports have been observed using the exploit against potential victims:

  • 188.34.130.40:444
  • 103.131.189.143:30080,30081,30443,20443
  • 192.36.119.61:8443,444
  • 172.247.168.153:8033

Adlumin Response

To ensure the continued protection of our customers, Adlumin’s Threat Research group reviewed stored data for evidence of exploitation of the vulnerability. To search for Indicators of Compromise (IOC), Threat Research used Adlumin’s MDR capabilities, allowing for centralized-logging and querying of data across multiple security relevant devices and platforms.

By searching Firewall and Network Device events, Adlumin was able to observe multiple instances of attempted attacker exploitation of potentially vulnerable FortiOS devices. Proper security practices and configuration resulted in over 96% of the attempted connections being blocked. Adlumin’s Threat Research group also investigated completed connections to identify if exploitation was successfully conducted from the attacker IPs. We notified customers where appropriate to help remediate systems and defend their network.

Adlumin’s Threat Research group also searched for evidence of sslvpnd application crashes on the devices. Observation of logs associated with sslvpnd crashes is a good first indicator that a device was exploited. While we observed crashes for other VPN services, no sslvpnd crashes were found.

Recommendations

Adlumin recommends that all customers using Fortinet FortiOS products immediately update their systems to the latest patched versions, which fixes the current vulnerability:

  • Please upgrade to FortiOS version 7.2.3 or above
  • Please upgrade to FortiOS version 7.0.9 or above
  • Please upgrade to FortiOS version 6.4.11 or above
  • Please upgrade to FortiOS version 6.2.12 or above
  • Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
  • Please upgrade to FortiOS-6K7K version 6.4.10 or above
  • Please upgrade to upcoming FortiOS-6K7K version 6.2.12 or above
  • Please upgrade to FortiOS-6K7K version 6.0.15 or above

Adlumin’s Continuous Vulnerability Management (CVM) solution can help your business manage the CVM Lifecycle, including Patch Management. Implementing automated and best CVM practices can help minimize the gap between exploitation capability detection and system defense.

Alternative

If users are unable to patch affected devices, disabling the SSL VPN service should shield the device from exploitation. Migration to other unaffected VPN services, such as IPSEC is also possible.

Resources

  1. Fortinet, PSIRT Advisories – FortiOS – heap-based buffer overflow in sslvpnd https://www.fortiguard.com/psirt/FG-IR-22-398
  2. MITRE, CVE Record – CVE-2022-42475. https://www.cve.org/CVERecord?id=CVE-2022-42475

Best Security Information and Event Management (SIEM) Software

/in /by

Adlumin is featured as one of the top ten Best Security Information and Event Management (SIEM) Software Companies by Gmpis, a software, mobile apps and online services review publication.

Adlumin’s Security Operations Platform plus extended risk management and security services operates as more than a SIEM and is proud to be continuously recognized as being a leader in security analytics and MDR.

“SIEM solutions provide a consolidated view of security events, making them an essential component of Cybersecurity. However, not all SIEM solutions are created equal. When deciding on which SIEM to adopt, it is important to keep in mind that SIEM is not an isolated solution but should be part of a larger security strategy,” Gmpis states.

Adlumin’s Security Operations Platform and MDR services is your command center for security operations. Adlumin illuminates the threats that would have otherwise gone unseen in the lead-up to a massive attack. Our cloud-native platform leverages powerful machine learning to identify critical threats, automates remediation rules and systems updates, and provides live continuous compliance reporting. Our platform is backed by an expert team delivering 24×7 human insights, threat hunting, and the trusted support that larger companies can no longer offer,” Gmpis continues.

Read the full announcement here.

Adlumin Cybersecurity

Headquarters (N-able)
30 Corporate Drive, Suite 400
Burlington, MA 01803
USA
(202) 570-7907

Get a Demo Free Trial Contact Adlumin
Adlumin Inc 5000

Privacy Policy  Sitemap  GDPR Privacy Notice

GDPR Data Processing Addendum  GDPR Privacy Request Form

Copyright 2024 Adlumin, Inc. All Rights Reserved