Critical Fortinet RCE Flaw

Summary: Fortinet released a patch to fix a buffer overflow vulnerability for their SSL-VPN that would allow attackers to launch remote code executions. The affected versions are FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions.

The RCE vulnerability allows attackers access to the VPN even if multifactor authentication (MFA) is enabled. The MFA bypass is possible as the vulnerability is a pre-authentication vulnerability. These vulnerabilities could defeat the purpose and security provided by Fortinet VPNs. Remote code executions could be used to introduce malware or takeover entire systems, endangering the data security within those systems.

Why it matters: VPNs are used and created to ensure that communications and access to private data and resources are secured. Fortinet appliances are widely used by companies for their VPN and firewalls. The vulnerability threatens the safety that VPNs provide. Not only does the vulnerability weaken the security of their data but it could also threaten the security of their data, but remote code execution could threaten the companies’ very resources as well. Fortinet’s popularity also makes them a target of groups that sell initial access to ransomware groups. It is thus important for users to update their VPN with the latest Fortinet patches.

MOVEit Vulnerabilities Continue

Summary: MOVEit, the secure data transfer software by Ipswitch, has had 3 vulnerabilities published last month. The initial vulnerability allowed the Cl0p ransomware gang to grab enterprise data. Investigation on the vulnerability shows that threat actors have been testing the vulnerability since 2021. The targets of the ransomware gang included private companies from around the world as well as local and national governments. Upon the discovery of the first vulnerability, extensive research on their product revealed more vulnerabilities.

The disclosure of the vulnerability and their targets led to research that revealed two additional SQL injection vulnerabilities in MOVEit. The first of these is an exploit that would allow attackers to grab data from a web application’s database. The second of these allows threat actors to escalate privileges as well as unauthorized access. However, unlike the vulnerability exploited by the Cl0p ransomware gang, these newly discovered vulnerabilities have not yet been exploited according to research. Patches to fix the vulnerabilities have been released despite the lack of exploitation.

Why it matters: MOVEit is a product used in both the private and public sectors. It addresses the critical needs of companies to securely transfer data across their networks. These entities rely on protecting data-in-transit to ensure data is protected at every stage of its lifecycle. Data transfer is an unavoidable requirement in every enterprise as data needs to go to the proper databases, servers, and backups. The vulnerability exploited by the Cl0p ransomware gang allowed them to steal the data-in-transit of their targets. The gang has released a partial list of affected companies since the discovery of the vulnerabilities. Fortunately, there is no evidence that the latest vulnerability has been successfully exploited by threat actors. However, since they have been disclosed, it is important for MOVEit users to patch their systems of all known vulnerabilities before they become targets by threat actors.

Azure AD Authentication Bypass Affects Thousands

Summary: Also known as “nOAuth”, the Azure AD Authentication bypass attack works across sites where organizations have enabled the “Login with Microsoft” feature within their environment. When implemented correctly, this authentication method allows users easy access to cloud-based services, however, when incorrectly applied, this method can make it easy for adversaries to compromise user accounts and access sensitive company information or resources. A successful attack gives a bad actor full run of a victim’s accounts, with the ability to establish persistence, exfiltrate data, explore if lateral movement is possible, etc.

In the Azure AD environment, OAuth is used to help manage user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS (software as a service) applications using OAuth apps. Anyone with malicious intent and a decent amount of platform knowledge can simply set up an Azure AD account, and arbitrarily change the email attribute under “Contact Information” in that account to control the email authentication claim. “[This] allows the attacker to use ‘Log in with Microsoft’ with the email address of any victim they want to impersonate,” the researchers explained.

Why it matters: The attack flow is extremely simple and was just recently patched by Microsoft, with documentation dated June 20, 2023. It is imperative to all businesses that use “Login with Microsoft” to follow their latest security recommendations and patch any affected Azure AD applications to minimize the risk and ensure that multifactor authentication cannot be bypassed while logging in. Researchers have stated: “If your app uses ‘Log in with Microsoft’ and you handle authentication in-house, it’s critical that you check if you use the email claim returned by Azure AD as the unique identifier. If so, remediation steps should be taken to ensure the claim used as the unique identifier for the user is the ‘sub’ (Subject) claim to avoid potential exploitation.”

ESXi Zero-Day to Pilfer Files from Guest VMs

Summary: A Chinese cyber espionage group known as “UNC3886” has been spotted targeting VMware ESXi hosts using an authentication bypass flaw to execute privileged commands on virtual machines. The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it an attacker already needs to have root access over an ESXi host. This latest threat is being tracked by CVE-2023-208670, which has subsequently been patched by VMware as of June 20th.

In September 2022, Mandiant reported uncovering UNC3886 using poisoned vSphere Installation Bundles, or VIBs, to install multiple backdoors – collectively dubbed VirtualPITA and VirtualPIE – on ESXi hypervisors. The backdoors enabled the attackers to maintain persistent administrative access to the hypervisor, to route commands through the hypervisor for execution on guest VMs, and for transferring files between the hypervisor and guest machines. The malware bundle also allowed UNC3886 actor to tamper with the hypervisor’s logging service and to execute arbitrary commands between guest VMs on the same hypervisor.

Why it matters: This threat actor is ongoing in their efforts to exploit ESXi hosts, and this latest discovery was announced after months of research and investigation performed by Mandiant. It is important to stay vigilant of adversaries targeting specific tools deployed within a company’s IT infrastructure and to ensure that all available patches are implemented and up to date. It is also highly recommended to enable logging on guest VMs, as the default logging on guest VMs fails to capture any trace of this malicious activity.

Security and AI

Summary: The recent growth of Artificial Intelligence (AI) has had an effect on many different industries and fields. Cybersecurity is no exception. In the famous letter by tech industry leaders earlier this year called for the pause of AI development due to its unknown risks. Even CEOs of AI companies including OpenAI’s Sam Altman and DeepMind’s Demis Hassabis acknowledge the societal risks AIs pose. For Cybersecurity in particular, AI can be used to help correlate and adapt to new attack patterns. At the same time, attackers can use AI to help create and improve existing attack methods such as fraud and phishing.

AI is one of the fastest growing fields recognized today. The release of ChatGPT-3 and the subsequent release of ChatGPT-4 has worried industry leaders about the potential uses of AI. Some of the uses can be seen in AI created malware that can bypass traditional security tools. These new tools in particular can help inexperienced malware developers create more advanced malware through the use of generative AI. This growth not only increases the complexity and effectiveness of malware but also increases the number of possible threat actors by loosening the barrier of entry into malware development.

Why it matters: AI is a dual-use technology that can be used by both legitimate and threat actors. On one hand, AI and Machine Learning can help improve software and their capabilities to detect malicious software. From the side of the defenders, AI’s self-teaching capabilities allows it to quickly adapt to the changing threat landscape with very little help. On the other hand, threat actors can use AI to create more sophisticated viruses and convincing social engineering attacks. While those are the more common uses of AI for both offense and defense, AI has already opened new avenues of attack that not necessarily lies in the traditional software-based world of security but the potential of real-life harm using AI-generated images, videos, and audio. These new threats posed by AI can target companies and people affecting them personally, financially, and possibly even legally. Although it is easy to assume that the usage of AI can easily be done ethically, there is still a possibility of misuse that could potentially undermine the user’s intent. Not only does regulation help protect society from unknown risks posed by AIs, it also would help shape the standard of current and future AI usage. It is thus important to not only be aware of how to use AI but also how AI can be used as a threat.

Security Tip of the Month – Risks of Artificial Intelligence

Summary: Artificial Intelligence (AI) is being used in by an inordinate number of people across a plethora of industries and applications and there are equally as many myths and risks associated with AI as its use and influence continues to gain traction in our fast-paced world. AI is designed to make life simpler and blurs the line between “man and machine” by mimicking our human thinking and decision-making capabilities. The biggest flaw (currently) for AI is its source dataset, as there is a large margin for error if the source is incomplete it can lead to bias or discrepancies in the results.

Artificial Intelligence is a tool, and when used appropriately, it can assist people and organizations with organizing large datasets and calculate that information in a way that is too time consuming for individuals and too complex for basic tasks for a computer program (like predicting the weather). However, there’s a growing number of high-profile individuals who are concerned that AI is going to have a negative impact on the world and on our lives. As with most topics of discussion, the existential question of whether AI is “good” is determined based on a person’s point of view.

Why it matters: As law makers and technical organizations begin to write laws and regulate the use of AI, it is important to understand what AI is, what its intended purpose is, and how each of us can help shape the future of AI. The question of how humans and AI interacted was more of an existentialist query than a concern. But now, with AI permeating everyday life, the question becomes more pressing. How does interacting with AI affect humans? That is the question that we, as a society, must answer. The importance of AI safety is to keep humans safe and to ensure that proper regulations are in place to ensure that AI acts as it should. These issues may not seem immediate but addressing them now can prevent much worse outcomes in the future.