Daily Brief

Mandiant reports that a new zero-day vulnerability in Fortinet's FortiManager, dubbed "FortiJump" and tracked as CVE-2024-47575, has been exploited since June 2024. The vulnerability allows unauthenticated attackers to execute commands via the FortiGate to FortiManager Protocol (FGFM) API, potentially affecting over 50 servers. Attackers exploited this flaw by using unauthorized FortiManager and FortiGate devices with valid certificates, registering them to exposed FortiManager servers. Once connected, these devices could steal configuration data from managed FortiGate devices, including hashed passwords and device settings. The first detected misuse of this vulnerability emanated from the IP address 45.32.41[.]202 with devices registering under generic or suspicious identifiers. Fortinet has responded by releasing patches and recommending specific security measures like IP whitelisting and command blocks to prevent unknown device registrations. Despite the exfiltration of configuration data, Mandiant found no evidence of lateral movement or further network compromise from the collected data. Mandiant continues to investigate the incident and will update their findings as more information becomes available.

Anthropic has released a new AI model, Claude 3.5 Sonnet, which can directly interact with computers, increasing its potential application range. This advanced model can engage with computer software by typing, clicking, taking screenshots, and executing bash commands, among other functions. While enhancing functionality, this direct computer interaction introduces significant cybersecurity risks, as noted by Anthropic's cautionary documentation. The model can potentially execute commands from external sources that conflict with user instructions, posing a threat of prompt injection attacks. Cybersecurity expert Rachel Tobac expressed concerns over the ease with which cyber criminals could exploit this tool to automate harmful activities like downloading malware or extracting sensitive data. Anthropic emphasizes the need for developers to implement strong safety measures to mitigate risks associated with the model’s expanded capabilities. The company urges isolation of the AI from sensitive data and careful monitoring of its interactions to prevent unintended or malicious activities.

Trend Micro reports ongoing attacks where perfctl cryptomining malware targets unprotected Docker Remote API servers. Attackers gain initial access through internet-connected Docker servers, using them to deploy a two-part malicious payload. The malware escapes docker containers using nsenter command, enhancing its capabilities to mirror those of the host system. A crafted Base64-encoded shell script ensures persistence, checks system architecture, and injects a PHP-disguised binary. Trend Micro's investigation stemmed from detecting similar cryptojacking efforts directed at Docker systems earlier in the year. The researchers emphasize the necessity of strong access controls, routine patches, security audits, and Docker server monitoring to mitigate threats. Security enhancements including avoiding privileged mode and scrutinizing container configurations are recommended to protect against such malware.

Google's Threat Analysis Group (TAG) reports active exploitation of a zero-day vulnerability in Samsung Exynos chips. The vulnerability, identified as CVE-2024-44068, has a CVSS severity rating of 8.1 and is classified as high severity by Samsung. Affected Exynos versions include 9820, 9825, 980, 990, 850, and W920, with Samsung issuing a patch on October 7. Attackers are using the flaw in conjunction with other CVEs to execute arbitrary code on devices remotely. The exploit targets the memory management functions of the chip, allowing code execution in a privileged camera server process. Changes made to process names, likely for anti-forensic purposes, have been observed as part of the exploit. Google TAG continuously monitors for espionage-related activities involving zero-day exploits targeting mobile devices.

Pennsylvania State University will pay the DOJ $1.25 million to settle allegations of misrepresenting cybersecurity compliance and insecure data practices. The allegations originated from a whistleblower, a former university CIO, who claimed Penn State did not meet NIST cybersecurity standards required for its federal contracts. The settlement resolves issues from cases related to 15 contracts Penn State had with the DoD and NASA, involving sensitive, unclassified information management. DOJ claims Penn State failed to implement necessary security requirements outlined in NIST SP 800-171 and lacked proper documentation and corrective action plans. It was also alleged that the university switched to a less secure, non-compliant cloud service (OneDrive) from a compliant one (Box) as a cost-saving measure. The whistleblower is set to receive $250,000 as part of the settlement's resolution. Penn State asserts the settlement is not an admission of guilt but an effort to avoid prolonged litigation and addresses concerns from government sponsors.

Fortinet disclosed a critical vulnerability in its FortiManager software, identified as CVE-2024-47575, with a CVSS score of 9.8. The flaw enables remote code execution and could potentially allow attackers to spread across networks. Attackers exploit this vulnerability using a legitimate Fortinet device certificate to bypass authentication. CISA has recognized the active exploitation of this issue and added it to its Known Exploited Vulnerabilities Catalog, urging immediate updates. Security expert Kevin Beaumont named the issue FortiJump and highlighted exposure risks, estimating 60,000 users could be affected. Fortinet recommends users of FortiManager 7.6 and below to promptly update their software and monitor for any signs of compromise. Reported exploitations involve script-driven exfiltration of files containing IP addresses, credentials, and configurations from affected management systems. Fortinet's advisory includes a list of malicious IP addresses and indicators for administrators to watch for further signs of intrusion.

An individual using the alias "Satanic" breached the loyalty account system of fashion retailer Hot Topic, compromising personal information of approximately 350 million customers. Stolen data includes customers' names, email addresses, physical addresses, and dates of birth, with limited financial information such as the last four digits of credit card numbers, card types, hashed expiration dates, and names of account holders. The thief has asked for $20,000 for the database, indicating a potentially low impact of the stolen information. Satanic offered Hot Topic the option to pay $100,000 to remove the sale listing of the stolen data. The breach source appears linked to a malware infection in September at Robling, a retail analytics firm, potentially implicating an employee. Hudson Rock, an Israeli security firm, noted Satanic's credible reputation in data theft and relatively successful financial outcomes from selling stolen data. Hot Topic has not commented on the breach as of the latest reports.

The US Cybersecurity and Infrastructure Security Agency (CISA) reported active exploitation of a Microsoft SharePoint deserialization vulnerability, tagged CVE-2024-38094. Originally patched in July, the flaw allows an authenticated attacker with site owner permissions to remotely execute arbitrary code on SharePoint Servers. The vulnerability carries a severity rating of 7.2 out of 10 and was deemed "important" by Microsoft, highlighting its potential risk. At least one proof-of-concept (POC) exploit is available, increasing the risk of the vulnerability being exploited by malicious parties. All Federal Civilian Executive Branch agencies are mandated to patch this vulnerability by November 12, though CISA advises all organizations to prioritize this update. Microsoft also resolved two other critical SharePoint Server vulnerabilities in their September updates, which could similarly enable remote code execution.

WhatsApp introduces Identity Proof Linked Storage (IPLS), enhancing user privacy and contact management. IPLS allows users to securely sync their contact lists across different devices and manage multiple accounts separately. The system encrypts contact names using symmetric keys stored in hardware security modules, ensuring high security. Key features include end-to-end encryption of contacts, protecting data from unauthorized access during transit. IPLS partners with Cloudflare for third-party auditing, ensuring the cryptographic operations' integrity. WhatsApp's Key Directory updates are publicly verifiable on Amazon S3, promoting transparency. Security audit by NCC Group identified and resolved a critical impersonation flaw and several lower-severity issues before the final IPLS release.

North Korean hacking group Lazarus exploited a Google Chrome zero-day, CVE-2024-4947, using a decoy decentralized finance (DeFi) game. The attack was first detected by Kaspersky in May 2024, prompting Google to subsequently release a patch for the vulnerability. Lazarus used a website promoting a fake NFT-based multiplayer game, DeTankZone, to distribute the Chrome exploit. The exploitation involved corrupting Chrome’s memory using a script embedded in the game's website, ultimately gaining access to the user's personal data. This attack allowed Lazarus to bypass Chrome's JavaScript execution sandbox and execute malicious code on the system. The primary aim of the exploit was believed to be the theft of cryptocurrency, targeting individuals in the cryptocurrency sector. Despite discovering the exploit method, Kaspersky couldn’t fully analyze subsequent attack stages as Lazarus had removed their exploit trace from the site post-detection.

New variants of the Grandoreiro banking malware feature advanced tactics to escape detection and bypass anti-fraud measures. Despite some arrests within the group, remaining operators are actively updating the malware, targeting global users and financial institutions across 45 countries. The malware utilizes domain generation algorithms for C2 communications, encryption methods like ciphertext stealing, and sophisticated user behavior mimicking including mouse movement tracking. Recent developments have seen the introduction of CAPTCHA barriers before payload deployment and self-updating capabilities within the malware to navigate around security measures. Grandoreiro is distributed primarily via phishing emails and malicious ads, leveraging disguised files up to 390 MB to bypass security sandboxes. The malware checks for the presence of major antivirus and banking security software, along with monitoring applications across web browsers, email clients, and cloud storage services. New attack strategies include using a clipper function to hijack cryptocurrency transactions and multi-stage infection processes to remain under the radar. The malware targets a wide range of financial institutions to steal sensitive credentials, which are then exploited using money mules organized through Telegram, for cash out via transfers, cryptocurrency, or gift cards.

Google plans to launch an "Enterprise Web Store" for Chrome and ChromeOS, providing businesses a platform to manage company-sanctioned browser extensions. The store is designed to enhance productivity, security, and management by allowing firms to curate and standardize tools across their organization. Aimed to prevent security risks by blocking the download of unverified extensions that may compromise corporate data. The store will feature integrated extension telemetry to give IT admins real-time insights into extension usage and potential security threats. Enterprise Web Store is part of Chrome Enterprise which offers advanced security controls, centralized management, and enterprise-level support. New features including the integration with Google SecOps for risk assessments are expected to fortify the browser’s security infrastructure. The announcement ties in with the recent launch of business-oriented Chromebook Plus devices that support AI-powered experiences.

Fortinet disclosed a critical vulnerability in FortiManager, identified as CVE-2024-47575, which allows unauthorized remote attackers to execute arbitrary commands and access sensitive data. The flaw, with a severity rating of 9.8, impacts several versions of FortiManager and exploits have been observed stealing configurations, IP addresses, and credentials from managed devices. Fortinet privately informed FortiManager customers about mitigation steps via emails starting October 13, with public disclosure occurring later amidst online leaks from customers and cybersecurity researchers. The vulnerability has been successfully exploited to compromise FortiManager servers, though no software installations like malware were reported on the breached systems. Patch updates for certain vulnerable versions have been released, with remaining updates expected shortly; mitigation steps are also available for systems awaiting updates. Various customers expressed frustration regarding the private and selective disclosure of the vulnerability information, with some not receiving advance warnings. Fortinet provided Indicators of Compromise (IOCs) detailing tactics such as rogue devices registration using "localhost," helping detect breaches. Fortinet reiterated their commitment to customer security through advisory publications and ongoing coordination with global agencies, despite criticism over transparency and disclosure practices.

On the first day of Pwn2Own Ireland 2024, hackers demonstrated 52 zero-day vulnerabilities, striving for part of a $1 million prize pool. Participants successfully exploited multiple devices, including WiFi cameras, routers, and smart speakers, totaling $486,250 in earnings. Viettel Cyber Security team excelled, showcasing significant vulnerabilities, including a $50,000 exploit involving a chain from QNAP QHora-322 router to TrueNAS Mini X. Sina Kheirkhah of Summoning Team performed a remarkable exploit chain on the same devices, receiving $100,000 and 10 Master of Pwn points. RET2 Systems' Jack Dates achieved full device control of the Sonos Era 300 through an out-of-bounds write, securing $60,000. Some teams faced challenges; Summoning Team missed the deadline for certain device exploits, and Synacktiv encountered a bug collision, affecting their payout. The event continues with expectations of more sophisticated exploits targeting an array of fully patched devices.

Nearly half of surveyed organizations (45%) have suffered identity security incidents in the past year, highlighting increasing vulnerability to impersonation and social engineering attacks. Although 86% of organizations believe they can identify their riskiest identities, many continue to experience breaches, particularly targeting sensitive data such as PII and IP. Security responsibilities remain mostly with IT departments, reflecting a traditional but possibly outdated view of identity security as merely access management. Investment in security appears robust, with SaaS and IaaS environments seeing substantial security budget allocations, yet overall readiness to tackle identity threats remains inadequate. There is an expressed need for a shift in how identity security is approached, suggesting it should transform from a technical task to a strategic business initiative. Despite identity security challenges, human identities are still considered riskier than non-human identities, like API keys or OAuth tokens. Permiso Security advocates for unified identity security solutions that encompass all organizational environments and identity types, moving towards more strategic, proactive identity management.