Fortinet SQLi Vulnerability Causes Remote Code Execution

As I mentioned, the vulnerability is classified as SQL injection, which stems from improper neutralization of special elements used in SQL commands. However, successful exploitation can lead to the execution of the code, embedded into a specially crafted packet. Such a combination of two grants this flaw a CVSS rating of 9.8.

The discovery was made jointly by Fortinet and the UK’s National Cyber Security Center (NCSC). Fortunately, there is currently no information on whether the vulnerability exploited in the wild. But given the researcher’s promise to release indicators of compromise (IoCs), a proof of concept (POC), and a detailed blog next week, the possibility is rather high.

CVE-2023-48788 Vulnerability Overview

The vulnerability, identified as CVE-2023-48788, is considered severe, with urgent patches been released. Versions affected by the vulnerability include FortiClientEMS 7.2 (versions 7.2.0 through 7.2.2) and FortiClientEMS 7.0 (versions 7.0.1 through 7.0.10).

An attacker can exploit a SQL injection vulnerability (CWE-89) in FortiClientEMS to execute commands via maliciously crafted HTTP requests on a server with SYSTEM privileges. This jeopardizes the integrity of the system and could result in complete control of the vulnerable server. Also of particular concern is the fact that no authentication is required to exploit the vulnerability. It definitely adds to its severity rating.

Recall that in February, Fortinet disclosed a critical remote code execution (RCE) bug (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy. The company also noted it as “potentially being exploited in the wild”.

Fortinet Releases Immediate Patch

Fortinet recommends that all users immediately upgrade their systems to the latest versions to address the vulnerability. Furthermore, you should regularly check the DAS logs for suspicious requests that may indicate an attempt to exploit the vulnerability.

The developers also patched several other vulnerabilities this week. These including a critical write outside array (CVE-2023-42789) and buffer-based stack overflow (CVE-2023-42790) vulnerability in the FortiOS Capture Portal and FortiProxy. Also it could “allow an insider attacker with access to the Capture Portal to execute random code or commands via specially crafted HTTP requests”.

The post Fortinet RCE Vulnerability Affects FortiClient EMS Servers appeared first on Gridinsoft Blog.

Fortinet VPN RCE Vulnerability Uncovered

This flaw, identified as CVE-2024-21762 / FG-IR-24-015, poses a severe risk with a CVSS rating of 9.6 due to its potential exploitation in cyber-attacks. Also, the heart of this alert is an out-of-bounds write vulnerability within the FortiOS system. Such a flaw allows unauthenticated attackers to execute remote code through maliciously crafted requests.

The amount of fuzz around this new vulnerability caused by the popularity of Fortinet networking solutions, along with the severity of the said vulnerability. Aside from the aspects mentioned above, RCE flaws can lead to system compromise and data theft. In some cases, they can also initiate ransomware or espionage attacks. In simple terms, it can simply be the reason for a company-wide cyberattack, with downtimes, leaked data and all the related “delights”.

This critical flaw was disclosed alongside other vulnerabilities, including CVE-2024-23113, which boasts an even higher severity rating of 9.8, and two medium-severity flaws, CVE-2023-44487 and CVE-2023-47537. However, these additional vulnerabilities are not currently marked as being actively exploited in the wild, unlike CVE-2024-21762.

Hackers Exploit Fortinet RCE Flaw

The disclosure of this vulnerability comes after it was revealed that Chinese state-sponsored threats known as Volt Typhoon have already exploited FortiOS vulnerabilities in the past. The deployment of custom malware such as Coathanger, a remote access trojan (RAT), suggests that adversaries are willing to do anything to exploit such vulnerabilities. This malware, in particular, has been used in attacks against the Dutch Ministry of Defense. This highlights the critical nature of the threats posed by such malware.

Still, as statistics show, the majority of exploitation cases happen after the vulnerability is publicly disclosed. Therehence, the best option will be to patch the flaw as soon as possible. Fortunately, the developer already offers the fixes for CVE-2024-21762.

Patch and Mitigation

The patch released by Fortinet brings affected FortiOS systems up-to-date, addressing the vulnerability and preventing potential exploitation by attackers. Fortinet recommends upgrading based on the following table:

The developer has provided guidance for those unable to immediately apply the necessary patches to mitigate this flaw. A possible mitigation strategy is to disable SSL VPN on affected FortiOS devices. While this step may impact remote access capabilities, it may be necessary to prevent exploitation. It’s crucial to note that merely disabling web mode is not considered a sufficient workaround for this vulnerability.

The post New Fortinet VPN RCE Flaw Discovered, Patch ASAP appeared first on Gridinsoft Blog.

What is Fortinet and its products?

Fortinet is a developer of a very wide range of different software solutions, though all of them concentrate around cybersecurity. Those are EDR and SIEM solutions, network monitoring utilities, and all-encompassing appliances like FortiOS. Flexibility of available options made them an often choice among corporations. Overall, Fortinet boasts of over half a million users – as of the late summer 2022.

Though, such a wide variety of software obviously obstructs issuing hotfixes and urgent patches. You should keep an eye on and be diligent with everything you release – otherwise, problems are inevitable. Fortinet does a great job on that, but vulnerabilities still appear – and they disclosed two in the recent update for their software and firmware.

Vulnerabilities in Fortinet Products Allow for RCE

Remote code execution (RCE) flaws are always scary, as they make it possible for hackers to force your system to execute the code they want. A specifically crafted package sent to SSL-VPN pre-auth server can cause buffer overflows and allow hackers to execute whatever code they want. Fortunately, there are no confirmed cases of this vulnerability exploitation. Fortinet already released patches for all software that may be impacted by that breach. Actually, they did it last Friday, on June 9th 2023 – 3 days before releasing official notes regarding vulnerabilities.

Fortinet insists on installing the latest updates for all solutions present in the list of vulnerable ones. As far as the report goes, the vulnerabilities are similar to ones discovered on January 11, 2023 and dubbed CVE-2022-42475. New breach falls under CVE-2023-27997; it received the CVE index just today.

List of software solutions vulnerable to CVE-2023-27997

How to protect against vulnerability exploitation?

Well, the most obvious advice there is to follow the guides from software vendors. They can issue a patch or offer a quick fix solution that will prevent the exploit without any changes to the actual software. However, there are also proactive solutions – in all senses – that are able to counteract the threat even before the vulnerability is published.

Use protective solutions that embrace zero-trust policy. The latter is not ideal when it comes to resource-efficiency, but it makes vulnerability exploitation nearly impossible. Hackers that run exploits mainly rely on antivirus ignorance towards what is happening with a seemingly legit app. Zero-trust treats all apps as potentially hazardous, and analyzes all processes for possible malignant actions.

Using zero-trust almost always means using advanced security solutions, such as EDR or XDR. They are made specifically for protecting large networks, like ones you typically see in corporations. Such solutions are sometimes (yet not mandatory) supplied with zero-trust policy – consider picking one specifically.

The post Fortinet Fixes RCE Flaws in FortiOS and FortiProxy appeared first on Gridinsoft Blog.

Fortinet specialists have discovered a new GoTrim malware written in Go that scans the Internet for WordPress sites and brute-forces them by guessing the administrator password.

Such attacks can lead to the deployment of malware, the introduction of scripts on websites to steal bank cards, the placement of phishing pages, and other attack scenarios that potentially affect millions of users (depending on the popularity of the hacked resources).

Let me remind you that we also wrote that New Version of Truebot Exploits Vulnerabilities In Netwrix Auditor And Raspberry Robin Worm, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Experts write that GoTrim is still in development, but already has powerful features. Botnet attacks began at the end of September 2022 and are still ongoing.

Malware operators provide their bots with a long list of target resources and a list of credentials, after which the malware connects to each site and tries to brute force administrator accounts using logins and passwords from the existing list.

If successful, GoTrim logs in to the hacked site and sends information about the new infection to the command and control server (including the bot ID in the form of an MD5 hash). The malware then uses PHP scripts to extract the GoTrim bot client from a hard-coded URL, and then removes both the script and the brute force component from the infected system.

Actually, GoTrim can work in two modes: “client” and “server”. In client mode, the malware initiates a connection to the botnet’s control server, while in server mode it launches an HTTP server and waits for incoming requests. For example, if a hacked endpoint is directly connected to the Internet, the malware uses server mode by default.

GoTrim sends requests to the attacker’s server every few minutes, and if the bot does not receive a response after 100 attempts, it will stop working.

The C&C server can send the following encrypted commands to GoTrim:

1. check provided credentials for WordPress domains;
2. check provided credentials for Joomla! (not yet implemented);
3. check provided credentials for OpenCart domains;
4. verify provided credentials for Data Life Engine domains (not yet implemented);
5. detect installations of CMS WordPress, Joomla!, OpenCart or Data Life Engine in the domain;
6. eliminate malware.

Interestingly, the botnet tried to avoid the attention of the WordPress security team and did not attack sites hosted on WordPress.com, only targeting sites with their own servers. This is implemented by checking the Referer HTTP header for “wordpress.com”.

It is also noted that if the target site uses a CAPTCHA plugin to fight bots, the malware will detect it and download the appropriate solver. GoTrim currently supports seven popular CAPTCHA plugins.

In addition, experts noticed that the botnet avoids attacking sites hosted on 1gb.ru, but the exact reasons for this behavior have not been established, although it is very possible that the hackers who created the malware are simply in Russia, but are looking for an opportunity to launder money.

To protect against GoTrim and other similar threats, experts recommend that site administrators use strong passwords, do not reuse passwords, and always use two-factor authentication, if possible.

The post GoTrim Malware Hacks WordPress Sites appeared first on Gridinsoft Blog.

Fortinet researchers studied the recently appeared open-source cryptor Cryptonite, distributed for free on GitHub.

It turned out that the creator of the malware made a mistake in the code, and the malware did not encrypt, but destroyed the data of the victims.

Let me remind you that we also wrote about FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations, as well as Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years.

Unlike other ransomware, Cryptonite was not sold on the darknet, but was distributed openly: it was published on GitHub by someone under the nickname CYBERDEVILZ (since then, the source code of the malware and its forks have already been removed).

The researchers say that the malware written in Python was extremely simple: it used the Fernet module to encrypt files and replaced their extension with .cryptn8.

The Cryptonite ransomware sample implements only basic ransomware functionality. The operator can set up a few things such as the exclusion list, server URL, email address, and bitcoin wallet. However, encryption and decryption are very simple and unreliable.

It also doesn’t provide any of the typical (but more sophisticated) ransomware features, such as:

1. Removing Windows Shadow Copy
2. Unlock files for more thorough exposure
3. Anti-analysis
4. Defensive evasion (bypass AMSI, disable event logging, etc.)

While this ransomware variant has given newcomers easy access to the cybercriminal business, it is not a serious tool.

However, something went wrong in the latest version of the malware: a sample of Cryptonite studied by experts blocked files beyond recovery, in fact, acting as a wiper.

The researchers say that the destructive behavior of the malware was not intended by its author. Rather, this is due to its low qualification, as errors in the code cause the program to crash when trying to display a ransom note (after the encryption process is completed).

In addition, an error that occurs during the operation of the encryptor leads to the fact that the key used to encrypt files is not transmitted to the malware operator at all. That is, access to the victim’s data is blocked completely and permanently.

The post Open-Source Cryptor Cryptonite Became a Wiper due to a Bug appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Google revealed the most powerful DDoS attack in history, and also that MooBot Botnet Attacks D-Link Routers.

For the first time, RapperBot malware was discovered by Fortinet analysts in August last year. Then it was reported that RapperBot has been active since May 2021, uses SSH brute force and is distributed on Linux servers.

RapperBot Campaigns

The new version of the malware that researchers have now discovered uses a self-propagation mechanism via Telnet, which is more similar to the original Mirai that underlies this malware. In addition, the goals of the RapperBot operators have become more obvious in the current campaign: in the new version, the malware is clearly adapted for attacks on game servers.

Experts were able to study the new version of RapperBot using C&C communications artifacts collected during previous campaigns (that is, this aspect of the botnet’s operation has not changed). It turned out that the new version has several differences, including support for Telnet brute force using the following commands:

1. registration (used by the client);
2. keep-alive (do nothing);
3. stop DDoS and shut down the client;
4. carry out a DDoS attack;
5. leave all DDoS attacks;
6. restart Telnet brute force;
7. stop Telnet brute force.

Now the malware tries to brute force new devices using weak credentials from a hard-coded list, whereas previously such a list was loaded from the control server.

If the accounted data is successfully guessed, the malware reports this to the cybercriminals’ control server via port 5123, and then tries to obtain and install a payload binary suitable for the architecture of the attacked device. The currently supported architectures are ARM, MIPS, PowerPC, SH4, and SPARC.

In addition, the functionality of RapperBot has been replenished with an extensive set of commands for DDoS attacks, including:

1. UDP flood;
2. TCP SYN flood;
3. TCP ACK flood;
4. TCP STOMP flood;
5. UDP SA:MP (targets Grand Theft Auto: San Andreas game servers)
6. GRE Ethernet flood;
7. GRE IP flood;
8. TCP flood.

Since the malware uses the Generic Routing Encapsulation (GRE) tunneling protocol and UDP, the researchers say that Grand Theft Auto: San Andreas Multi Player (SA:MP) servers are clearly one of the targets of the attackers.

Fortinet experts believe that all RapperBot campaigns were most likely organized by the same operators, since the new malware variants are clearly created by people who have access to the malware source code. Moreover, the C&C communications protocol and the credential lists used remain unchanged.

The post Mirai Botnet RapperBot Conducts DDoS Attacks on Game Servers appeared first on Gridinsoft Blog.