Old Fortinet flaws under attack with new method its patch didn’t prevent

Infosec In Brief Fortinet last week admitted that attackers have found new ways to exploit three flaws it thought it had fixed last year.

The cybersecurity firm published a notice last Thursday detailing how unknown threat actors achieved persistent access to FortiGate and FortiOS appliances using a trio of known vulnerabilities – including two that were used by the Chinese backed Void Typhoon group.

The new attack relies on symbolic links (symlinks) – files that offer a pointer to another file or a directory.

Fortinet explained that an unidentified threat actor created a symlink that linked users to the root filesystem and granted read-only access to resources including system configuration files.

Fortinet said that it has mitigated the issue and notified impacted customers. If patching your Fortinet systems with known good versions isn’t practical, Fortinet recommends disabling SSL-VPN, as the exploitation isn’t possible if the utility is disabled.

CEO of attack surface manager firm watchTowr, Benjamin Harris, said that while it’s great Fortinet took proactive action to share news of the persistent exploit, it points to an unfortunate new trend everyone needs to be aware of.

“We have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations,” Harris said. “This is straight-up terrifying. In high-profile situations, we may be entering a world where even updates, patching, and factory resets are insufficient to consider restoring appliance integrity.”

Chinese digi-dogs contain backdoor

A pair of security researchers have found Chinese-made robot dogs sold in the US were shipped with a preconfigured tunnel client designed to connect to a Chinese remote access platform.

Researchers Andreas Makris and Kevin Finisterr looked at the firmware of Unitree’s Go1 quadruped robots and discovered a remote access tunnel from Chinese vendor CloudSail tunnel set up on the devices that, once they were able to get access to the CloudSail API, allowed them total control over the bots.

“Anybody with access to the API key can freely access all robot dogs on the tunnel network, remotely control them, use the vision cameras to see through their eyes or even hop on the RPI via SSH,” the pair said. “If this was abused or not does not matter in this case. The mere presence of this service without letting the user know is not a good practice and can be seen as malicious.”

Unitree Go1 robo-dogs are marketed for a variety of purposes, including for research, search and rescue, and military use cases. The researchers recommend isolating the bots from networks immediately, and then examining logs to check for any suspicious traffic.

No updates for old CVEs, says NIST

Still struggling with a backlog of vulnerability submissions, the National Institute of Standards and Technology last week announced it’s putting a whole bunch of older CVEs into “deferred” status, meaning that much like end-of-life software, updates won’t be forthcoming unless absolutely necessary.

All CVEs published prior to January 1, 2018, are now considered deferred, and NIST said they should all be marked as such in short order. Those with information to share on deferred CVEs can still do so, with NIST noting that it will continue to prioritize information that “clearly indicate[s] that an update to enrichment data … is appropriate … as time and resources allow.”

Deferred CVEs added to the known exploited vulnerabilities list, naturally, will be updated regardless of their deferred status.

In other words, don’t expect NIST to be your source for updates to older CVEs anymore, unless those updates are absolutely critical.

Dutch ministries caught in data leak

Multiple government ministries in the Netherlands have been caught up in a “major data leak,” according to local news sources, but details remain scarce.

The Ministries of Economic Affairs and Climate and Green Growth have both confirmed to Dutch news outlets that their organizations were affected, and news outlets believe others may be involved as well. The government has been tight-lipped about the cause, only telling reporters that it’s investigating.

Whether any data leaked is unknown.

The Dutch Data Protection Authority has been notified, however, perhaps suggesting sensitive stuff spilled or was stolen.

OpenAI helps spammers get creative

A bot used to spam at least 80,000 websites with ads for “low-quality SEO service” has proven incredibly effective in part due to its use of OpenAI services to generate constantly changing messages.

SentinelOne last week revealed the existence of a Python framework it has dubbed “AkiraBot” (named for the SEO company name in the spam messages, not the Akira ransomware crew) in a report that details a sophisticated modular tool it rates as superior to comparable bad bots.

The bot uses generative AI to create unique messages for each site it targets, and rotates the domains it uses to evade defensive filters. AkiraBot is also equipped with multiple different CAPTCHA evasion tools and uses multiple proxy hosts to further evade detection and hide the source of its traffic.

The individual or group behind AkiraBot hasn’t been identified. SentinelOne suspects it’s just one actor, as proxy credentials stored in every sample it has reviewed are the same, and only two OpenAI API keys were contained in the sample.

“Distributing output from our services for spam is against our policies,” OpenAI said of the matter. “The API key involved is disabled, and we’re continuing to investigate and will disable any associated assets.” ®

READ MORE HERE