Multiple Chinese Advanced Persistent Threat (APT) groups, including Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant, are engaging in sophisticated cyber espionage and disruptive campaigns. These groups employ various techniques, including “living off the land” (LOTL) methods, to compromise critical infrastructure, ISPs, and IoT devices. Volt Typhoon’s focus is on U.S. communication infrastructure, often leveraging compromised Fortinet devices for data exfiltration. Salt Typhoon targets U.S. Internet Service Providers (ISPs), seeking to compromise routers and network devices for data collection. Flax Typhoon utilizes compromised IoT devices to build botnets for command and control purposes, aiming at entities in Taiwan and expanding globally. Velvet Ant, a lesser-known group, targets software supply chains, aiming to indirectly infiltrate larger networks. These groups pose a serious threat to critical infrastructure and national security, requiring vigilant defense strategies to combat their stealthy operations.
A critical vulnerability, CVE-2024-47575 (dubbed “FortiJump”), was found in Fortinet’s FortiManager, a tool used for managing FortiGate firewalls. This flaw allows attackers to remotely execute code on vulnerable FortiManager devices without authentication. It’s been actively exploited, leading to concerns about transparency as some users learned about the vulnerability through unofficial channels. The vulnerability affects the FortiGate to FortiManager (FGFM) protocol, allowing attackers to bypass security measures by registering rogue devices. Approximately 60,000 FGFM devices are exposed to the internet, highlighting the significant risk associated with this vulnerability.
Arctic Wolf Labs has observed an increase in Fog and Akira ransomware attacks, with at least 30 intrusions across various industries since early August. These attacks often leverage SonicWall SSL VPN in the early stages of the attack chain, highlighting the importance of securing VPN access points. The malicious VPN logins originate from IP addresses associated with VPS hosting, providing defenders with a viable mechanism for early detection and response.
Fortinet FortiManager has a critical vulnerability, CVE-2024-47575, actively exploited in the wild. This flaw, rated at CVSS 9.8, allows attackers with sufficient permissions to execute arbitrary code, potentially leading to system compromise. CISA urges organizations to prioritize timely remediation of the vulnerability.
Fortinet, a major cybersecurity firm, confirmed a data breach in September 2024 after a threat actor claimed to have stolen 440GB of data from the company’s Microsoft Sharepoint server. The attack reportedly targeted a third-party service used by Fortinet, impacting a small number of its Asia-Pacific customers. Although the company claims that the breach was limited in scope, the incident raises concerns about the security of third-party services used by major cybersecurity companies.
Fortinet, a cybersecurity company, confirmed a security breach involving unauthorized access to a limited number of customer files stored on a third-party cloud-based file drive. The incident raises concerns about the security of sensitive customer information entrusted to third-party services. Although Fortinet claims minimal disruption, the incident serves as a reminder of the importance of robust data security measures, access controls, and regular security assessments for all environments.
A new malicious software framework, known as Winos4.0, is being used by cybercriminals to infect Windows systems. The malware is primarily being distributed through game-related applications, likely targeting educational organizations. This framework grants attackers complete control over compromised machines, allowing them to steal sensitive information, install additional malware, or launch further attacks. Winos4.0 is designed to operate stealthily and evade detection, making it a significant threat to organizations and individuals using Windows systems.