CyberSecurity news

FlagThis - #fortinet

info@thehackernews.com (The Hacker News)@The Hacker News - 72d

Fortinet Flaws Allow Remote Code Execution - Fortinet has warned of a critical vulnerability in its Wireless LAN Manager (FortiWLM), allowing unauthenticated remote attackers to read sensitive files.
Multiple critical vulnerabilities have been discovered in Fortinet products, posing significant security risks. The most critical of these is CVE-2023-34990, a path traversal flaw in FortiWLM, which allows unauthenticated attackers to access sensitive files and potentially execute unauthorized code. This vulnerability, which has been given a CVSS score of 9.6 (or 9.8 by the NVD) stems from a lack of input validation on request parameters, enabling attackers to read log files which contain session IDs. Attackers can then use these session ID tokens to hijack sessions and gain access to authenticated endpoints, potentially granting admin access to the system.

Fortinet's FortiClient EMS has also been targeted, with a now-patched vulnerability (CVE-2023-48788) being actively exploited to deploy remote access tools like AnyDesk and ScreenConnect. This SQL injection flaw, which received a CVSS score of 9.3, enables attackers to execute unauthorized code. Hackers were observed using this flaw to gain initial access to systems, then dropping remote access software and password recovery tools to move laterally through the network. Other flaws include CVE-2024-48889, a command injection flaw in FortiManager, highlighting the wide range of vulnerabilities across multiple Fortinet products and underscoring the need for prompt patching.

Recommended read:
References :
  • securityaffairs.com: Security Affairs report about Fortinet FortiWLM flaw.
  • socradar.io: Critical Path Traversal in FortiWLM (CVE-2023-34990) Permits Code Execution; Next.js Auth Bypass (CVE-2024-51479)
  • The Hacker News: TheHackernews article about Fortinet Critical vulnerability.
  • The Hacker News: Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools
  • techacademy.online: Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits
  • www.bleepingcomputer.com: Fortinet warns of critical FortiWLM bug giving hackers admin privileges
  • securityonline.info: CVE-2023-34990 (CVSS 9.8): Critical Security Flaw Found in Fortinet FortiWLM
  • circl: A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
  • circl: Social CIRCL post about Fortinet FortiWLM vulnerability.
  • Security Risk Advisors: Critical Vulnerability in Fortinet FortiWLM
@securityonline.info - 24d

Coyote Malware Expands Reach Targeting Windows Systems - The Coyote Banking Trojan targets Microsoft Windows users, distributed via malicious LNK files executing PowerShell commands to harvest sensitive information and bypass sandbox discovery, now targeting 1,030 sites and 73 financial institutions.
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.

The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
  • www.scworld.com: Updated Coyote malware facilitates more extensive compromise
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
  • securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
@PCWorld - 10d

New Snake Keylogger Variant Launches Mass Attacks - A new variant of Snake Keylogger is launching over 280 million attacks, primarily impacting users in China, Turkey, Indonesia, Taiwan, and Spain, stealing credentials from browsers like Chrome and exfiltrating data via Telegram Bots.
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.

The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.

Recommended read:
References :
  • CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
  • hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
  • cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
  • The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
  • Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
  • The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
  • PCWorld: This high-risk keylogger malware is a growing threat to Windows users
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
  • www.scworld.com: More advanced Snake Keylogger variant emerges
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
Ameer Owda@socradar.io - 72d

FortiWLM Path Traversal and Next.js Auth Bypass - A critical path traversal vulnerability has been identified in FortiWLM, and a separate authorization bypass has been found in Next.js, both allowing unauthorized access.
Fortinet has issued warnings regarding critical vulnerabilities in its FortiWLM Wireless LAN Manager product. The most severe, tracked as CVE-2023-34990, is a path traversal flaw which allows remote, unauthenticated attackers to read sensitive files. This flaw stems from inadequate input validation on request parameters, enabling attackers to traverse directories and access log files which contain sensitive session ID tokens. By exploiting this vulnerability, malicious actors can gain unauthorized access to the system and potentially hijack user sessions for administrative control.

Additionally, a separate security flaw (CVE-2024-51479) has been found in Next.js, a popular React framework. This vulnerability represents an authorization bypass, which can compromise sensitive data and systems. It is important that users of both FortiWLM and Next.js implement patches as soon as possible, to mitigate the risk of code execution and unauthorized data access. Fortinet has also released updates for other products including FortiManager and FortiClient VPN addressing further security concerns.

Recommended read:
References :
  • socradar.io: Critical Path Traversal in FortiWLM (CVE-2023-34990) Permits Code Execution; Next.js Auth Bypass (CVE-2024-51479)
  • securityaffairs.com: Fortinet warns about Critical flaw in Wireless LAN Manager FortiWLM
  • The Hacker News: Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits
  • Security Risk Advisors: Critical #vulnerability in Fortinet #FortiWLM The post appeared first on .
  • securityonline.info: CVE-2023-34990 (CVSS 9.8): Critical Security Flaw Found in Fortinet FortiWLM
  • techacademy.online: Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits
  • www.bleepingcomputer.com: Fortinet warns of critical FortiWLM bug giving hackers admin privileges
  • circl: A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
  • circl: CIRCL.lu post about Fortinet FortiWLM path traversal vulnerability.
  • www.circl.lu: CIRCL technical report on the vulnerability.
@securityonline.info - 24d

Coyote Trojan Targets Brazilian Financial Application Users - The Coyote Banking Trojan targets Brazilian users by stealing data from over 70 financial applications and websites using malicious LNK files and PowerShell scripts.
The Coyote Banking Trojan is actively targeting financial institutions and online banking users in Brazil, stealing data from over 70 financial applications and websites. Cybersecurity researchers at FortiGuard Labs have uncovered this stealthy and highly sophisticated banking trojan which leverages malicious LNK files and PowerShell scripts to infiltrate Windows systems, deploy payloads, and steal sensitive banking credentials. The attack begins with a weaponized LNK file that executes a hidden PowerShell command, connecting to a remote server and downloading additional malicious scripts, initiating the next stage of the attack.

The Trojan can keylog user activity, capture screenshots, display phishing overlays, and even manipulate browser windows to steal financial data. It collects system information such as the machine ID, MAC address, Windows version, and installed security software, sending these details to remote command-and-control servers. The final payload includes the main Coyote Banking Trojan, which expands its target list to over 1,000 websites and 73 financial agents. Accessing any of the targeted sites could trigger further malicious activity, enhancing the threat to financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
Ameer Owda@socradar.io - 72d

Next.js Authorization Bypass Exposes Root Pages - A high-severity authorization bypass vulnerability has been identified in Next.js, requiring developers to upgrade to version 14.2.15 to mitigate risks.
A critical security flaw, identified as CVE-2024-51479, has been discovered in the popular React framework Next.js. This authorization bypass vulnerability affects versions 9.5.5 through 14.2.14, allowing attackers to potentially gain unauthorized access to pages located directly under the application's root directory. The vulnerability stems from how Next.js handles authorization checks in middleware based on pathname rules, specifically affecting routes such as https://example.com/foo while leaving routes like https://example.com/ or deeper nested routes like https://example.com/foo/bar unaffected.

The potential impact of this vulnerability is significant, given the widespread use of Next.js among developers. The severity is rated high with a CVSS score of 7.5 and the ease of exploitation makes it an attractive target for malicious actors. Developers are urged to immediately upgrade to version 14.2.15, which includes a patch for the issue. For applications hosted on Vercel, the vulnerability has already been automatically mitigated. No other workarounds have been officially released, making the update essential for preventing exploitation. The vulnerability was responsibly disclosed by security researcher Tyage from GMO Cybersecurity by IERAE.

Recommended read:
References :
  • Cyber Security News: Next.js Authentication Bypass Vulnerability Impacts Millions of Developers
  • gbhackers.com: Next.js Vulnerability Let Attackers Bypass Authentication
  • securityonline.info: CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
  • socradar.io: Critical Path Traversal in FortiWLM (CVE-2023-34990) Permits Code Execution; Next.js Auth Bypass (CVE-2024-51479)
Stefan Hostetler, Julian Tuin, Trevor Daher, Jon Grimm, Alyssa Newbury, Joe Wedderspoon, and Markus @Arctic Wolf - 44d

Fortinet Firewall Configs Leaked From Zero Day - A hacking group leaked configuration files and VPN credentials for over 15,000 FortiGate devices, exposing sensitive information.
A new hacking group, known as Belsen Group, has leaked configuration files and VPN credentials for over 15,000 FortiGate firewall devices. The data, which includes full configuration dumps, device management certificates and even some plain text passwords, was made freely available on the dark web. Security researcher Kevin Beaumont first brought the issue to light, later confirmed by CloudSEK, and noted the vulnerability primarily affected Fortigate 7.0.x and 7.2.x devices.

The Belsen Group is believed to have been active since 2022, despite only recently appearing on social media and cybercrime forums. The leaked data was likely collected using a zero-day exploit in 2022, specifically CVE-2022-40684, and has only been released in January 2025. This means even organizations that have since patched may still be vulnerable if their configurations were captured by Belsen Group in 2022. The exposure of the data, which includes firewall rules, poses a significant security risk to affected organizations.

Recommended read:
References :
  • ciso2ciso.com: Ciso2Ciso news about new hacking group leaks configuration of 15,000 Fortinet Firewalls.
  • Kevin Beaumont: Cyberplace.Social post by GossiTheDog about Fortigate config data leak.
  • www.bleepingcomputer.com: BleepingComputer Article about hackers leak configs and VPN credentials for 15,000 FortiGate devices.
  • CySec Feeds: RT @S0ufi4n3: “2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.“
  • www.theregister.com: 15,000 FortiGate Firewall Configurations Leaked by Belsen Group

Blogs

Research Tools