eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical SonicWall Vulnerability Exploited
Bottom Line: CISA has confirmed that threat actors are now exploiting the critical SonicWall vulnerability CVE-2024-40766. As exploitation is ongoing, it is essential that organizations apply the relevant security patches immediately.
Exploitation of the recently disclosed critical SonicWall vulnerability CVE-2024-40766 (CVSS:9.3) has now been confirmed. CVE-2024-40766 is an improper access control vulnerability; exploitation of the vulnerability would allow threat actors to gain access to unauthorized resources and, in specific conditions, cause the firewall to crash. It impacts SonicWall SOHO (Gen 5), Gen6 Firewalls, and Gen7 Firewalls.
The vulnerability was initially disclosed on August 22nd, 2024, along with security patches. On September 6th, SonicWall updated their advisory, adding that, “this vulnerability is potentially being exploited in the wild”; no context or additional details were provided. Three days later CISA officially added CVE 2024-40766 to the Known Exploited Vulnerabilities catalog, confirming real-world attacks. CISA has not provided any details around attacks exploiting the vulnerability. Researchers from Rapid7 confirmed observing several instances of exploitation, “including by ransomware groups”. It is suspected that the Akira ransomware group is targeting the vulnerability in recent attacks.
As exploitation is ongoing, it is paramount that organizations using the impacted SonicWall products deploy security patches immediately. In addition to patching, organizations are recommended to:
- Update passwords to prevent their abuse if devices were already compromised
- Enable Multi-Factor Authentication (MFA) on all SSLVPN accounts
- Restrict firewall management access to trusted sources only, or disable Firewall WAN management from Internet access
eSentire Threat Intelligence Analysis:
The SonicWall vulnerability CVE-2024-40766 fits within a broader trend of threat actors exploiting internet facing remote access technologies. The critical flaw, coupled with SonicWall’s broad deployment in corporate environments, presents a significant risk, as it is valuable for both espionage and financially motivated cybercrime, such as ransomware attacks.
SonicWall vulnerabilities have a history of being targeted by financially motivated threat actor groups. The HelloKitty group leveraged a similar vulnerability in 2021, which was used to launch ransomware attacks against vulnerable SonicWall SMA appliances. While eSentire cannot confirm exploitation of CVE-2024-40766 leading to ransomware deployment, as of September 8th, eSentire has observed the targeting of SonicWall devices, leading to data exfiltration. Based on the observed incident, it is probable that threat actors exploited CVE-2024-40766.
eSentire released an advisory on the exploitation of CVE-2024-40766 on September 11th. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices, and the eSentire Threat Response Unit (TRU) is actively investigating the topic for additional details and detection opportunities.
Microsoft Patch Tuesday Release
Bottom Line: September 10th marked Microsoft’s monthly Patch Tuesday release. This month, Microsoft highlighted four zero-day vulnerabilities confirmed to be actively exploited by threat actors. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
In the September Microsoft Patch Tuesday release, the company disclosed a total of 79 separate vulnerabilities, a slight decrease compared to the August release. Out of the 79 vulnerabilities, seven are rated as critical, and four are confirmed to be actively exploited prior to patch release. The four confirmed exploited vulnerabilities are as follows:
- CVE-2024-38014 (CVSS:7.8) - Windows Installer Elevation of Privilege Vulnerability
- This vulnerability can allow attackers to gain SYSTEM privileges on Windows systems.
- CVE-2024-38217 (CVSS:5.4) - Windows Mark of the Web Security Feature Bypass Vulnerability
- This vulnerability was publicly disclosed in August 2024 in a report by Elastic Security and is believed to have been actively exploited since 2018.
- When exploited an attacker can trick the user into executing a command in a Windows Shortcut file (LNK) without a warning popup.
- CVE-2024-38226 (CVSS:7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
- A vulnerability in Microsoft Publisher that bypasses the security protections against embedded macros in downloaded documents.
- An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files.
- CVE-2024-43491 (CVSS:9.8) - Microsoft Windows Update Remote Code Execution Vulnerability
- A vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).
- Exploiting this vulnerability would allow threat actors to leverage the previously patched vulnerabilities.
The Microsoft release does not include any details on how these vulnerabilities have been exploited in real-world attacks.
Notably, Microsoft also addressed a number of SharePoint Server Remote Code Execution (RCE) vulnerabilities (CVE-2024-38018, CVE-2024-38227, CVE-2024-43464). All three vulnerabilities received criticality ratings of High and are listed as “exploitation more likely”. While technical details are not currently publicly available, organizations are recommended to prioritize the patching of these vulnerabilities, as exploitation is probable in the future.
Organizations are strongly recommended to review the full Patch Tuesday release and apply all relevant security patches.
eSentire Threat Intelligence Analysis:
This is the second Patch Tuesday release in a row to include a high number of actively exploited zero-day vulnerabilities, with the August release including six zero-days. While Microsoft states that four vulnerabilities from this release have been exploited, there are public claims of a fifth. According to the Zero Day Initiative (ZDI), there is a fifth zero-day vulnerability, tracked as CVE-2024-43461. Microsoft attributes the discovery of the vulnerability to ZDI, but states that exploitation has not been identified. It is currently unclear if CVE-2024 43461 is being has been used in attacks or not. With the present uncertainty, organizations should treat the vulnerability as exploited, until confirmed otherwise.
Please note, after publication of the Weekly Threat Briefing, Microsoft confirmed that CVE-2024-43461 had been exploited in the wild. To date, exploitation is believed to be limited to a single financially motivated APT group tracked as Void Banshee. The group exploited CVE-2024-43461 to enable distribution of infostealer malware.
The high number of recent zero-day vulnerabilities is concerning; these vulnerabilities should be prioritized for immediate patching. In cases where vulnerabilities are being exploited prior to patch release, Endpoint Detection and Response (EDR) capabilities can act as a stop-gap solution, by identifying known techniques and tools employed post compromise.
Outside of zero-days, it is recommended to prioritize the patching of vulnerabilities in Internet-facing applications. These flaws are high value to threat actors, as they may enable initial access into victim companies. Vulnerability management services can aid in the identification and remediation of high priority vulnerabilities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to all the CVEs listed in this briefing.
Fortinet Confirms Breach
Bottom Line: Fortinet has confirmed a data breach impacting a small portion of their customer base. Successful attacks against security companies can erode the trust in which these companies may hold with organizations.
On September 12th, the cybersecurity solutions company Fortinet confirmed an unauthorized intrusion that resulted in a data breach. The company stated in their blog post, "We recently identified signs of unauthorized access to a database in our environment that resulted in data being copied."
Earlier in the day before Fortinet confirmed the breach, a threat actor posted that they had stolen 440GB of data from Fortinet's Azure SharePoint instance to a hacking forum. The threat actor also shared credentials to an alleged S3 bucket where the stolen data is stored for others to download. The threat actor is known as "Fortibitch" and claimed to have attempted to extort Fortinet into paying a ransom for the stolen data, but the company refused.
Fortinet confirmed that the breach data only included limited information related to a small number (less than 0.3%) of Fortinet customers. The company also confirmed there is no indication of malicious activity affecting customers, Fortinet's operations, products, and services have not been impacted, the incident did not involve ransomware or data encryption, and Fortinet immediately "executed on a plan to protect customers". The nature of the breach and its specific potential implications for Fortinet's customers were not made clear in the statement.
Fortinet also confirmed their engagement with appropriate authorities and external forensic experts according to their blog post stating, "We have also engaged with law enforcement agencies, and are working with leading external forensics experts to support our internal investigation." Detailed findings of the investigation were not provided in any statement made by the company.
eSentire Threat Intelligence Analysis:
The recent security breach at Fortinet has significant implications. It not only raises questions about the security measures in place within the company but also flags risks to the clients who depend on their services. Depending on the nature of the data copied, potential risks could range from identity theft to sophisticated, targeted cyber-attacks. This incident emphasizes the relentlessness of cyber threats, even for entities that specialize in cybersecurity.
The proactive defensive strategies to prevent such breaches involves both technical measures and human factors. The technical measures include regular audits to identify potential vulnerabilities, adopting MultiFactor Authentication (MFA), or deploying advanced machine learning algorithms for anomaly detection. Equally important are the human factors - implementing robust security protocols, periodic personnel training to identify and react to threats, and ensuring a culture of security within the organization.
This is not the first time a cybersecurity firm has been targeted. In December 2020, the cybersecurity company FireEye disclosed that they had been impacted by a security incident; this attack resulted in the theft of penetration testing tools that could be misused by threat actors in future campaigns. This attack was the result of the SolarWinds supply chain campaign. These incidents underscore the fact that no organization, however technically robust, is immune from such attacks. However, these incidents also serve to increase vigilance within the industry and prompt enhancements in security measures.
As the digitization of assets and services continues, there has been an upward trend in the frequency and scale of cyber-attacks. This breach once again underscores the need to constantly evolve and adapt to the changing threat landscape. Cybersecurity isn't a one-time process, but an ongoing challenge that requires continuous monitoring, upgrading, and adaptation.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
