FortiOS – buffer overflow – CVE-2023-27997

A critical vulnerability discovered in FortiGate SSL VPN enables hackers to infiltrate vulnerable systems and inject malicious code, even when Multi-Factor Authentication (MFA) is activated.

Following Fortinet product versions are affected and firmware should be updated.

Affected Products
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy version 2.0.0 through 2.0.11
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.0.0 through 1.0.7

CVE-2023-27997 denotes a crucial heap buffer overflow vulnerability within Fortinet’s FortiOS SSL-VPN pre-authentication module.

Its exploitation permits an overflow of data from a designated memory block into adjacent blocks in the heap, enabling the execution of arbitrary code and facilitating malicious program activities.

SSL VPNs are typically relied upon for establishing secure connections to private organizational networks and the vulnerability could grant cybercriminals access to any networks and products assumed to be safeguarded.

This vulnerability exploit pre-authentication without privileged credentials allowing attackers to elude interception and escalate likelihood of successful data breach attempts.

Suggested response actions to mitigate the impact of CVE-2023-27997, is to upgrade to the Latest FortiOS Firmware Release and/or disable SSL-VPN on all impacted devices is it is not actively in use.

To shutoff SSL-VPN access, follow this link.

Follow Fortinet’s best practice on hardening your network devices.

Anydesk Production Server Breached

AnyDesk recently confirmed a cyberattack compromising their production systems, resulting in the theft of source code and private code signing keys. The remote access software, popular among enterprises and threat actors alike, serves 170,000 customers, including notable organizations like 7-Eleven and Samsung.

AnyDesk detected the attack on their servers and enlisted CrowdStrike’s help to respond. While details on data theft remain undisclosed, the company assured users of system safety. They revoked security certificates, replaced compromised systems, and advised users to update to the latest version with new code signing certificates.

Though AnyDesk denies token theft, they revoked web portal passwords and advised users to change them as a precaution. The company replaced stolen code signing certificates, evident in the new software version 8.0.8. The certificate transition ensures continued security for users.

Doctor Web – Malicious apps on Google Play

Malicious Android apps on Google Play, disguised as games and trojans, amassed over two million installs. These apps hid their presence by replacing icons with Google Chrome or using transparent images. They generated revenue through intrusive ads.

Four adware (HiddenAds) apps disguised as games:

  • Super Skibydi Killer – 1,000,000 downloads
  • Agent Shooter – 500,000 downloads
  • Rainbow Stretch – 50,000 downloads
  • Rubber Punch 3D – 500,000 downloads

Additionally, some apps directed users to scams or online casinos. All mentioned apps have been removed, but users who installed them should delete and scan their devices. To avoid such apps, limit installations, read reviews, and verify publishers’ trustworthiness.

Some notable examples of those are:

  • Eternal Maze (Yana Pospyelova) – 50,000 downloads
  • Jungle Jewels (Vaibhav Wable) – 10,000 downloads
  • Stellar Secrets (Pepperstocks) – 10,000 downloads
  • Fire Fruits (Sandr Sevill) – 10,000 downloads
  • Cowboy’s Frontier (Precipice Game Studios) – 10,000 downloads
  • Enchanted Elixir (Acomadyi) – 10,000 downloads

Finally, the antivirus team spotted two Joker family apps on Google Play, which subscribe users to premium paid services:

  • Love Emoji Messenger (Korsinka Vimoipan) – 50,000 downloads
  • Beauty Wallpaper HD (fm0989184) – 1,000 downloads

Is Microsoft ditching SMS for Multi-Factor Authentication (MFA)?

Microsoft is discontinuing support for SMS in specific sign-in scenarios. This includes sign-ins from new devices and those that need multi-factor authentication (MFA).

The reason behind this move is to step up security and minimize the chances of unauthorized access.

Typically, the concern arises because employees might not want to use their personal mobile devices to verify their access.

Customers have the option to establish a conditional access policy to reduce the frequency of MFA prompts when they’re in trusted locations. To do this, you’ll need at least one Azure AD P1 (Microsoft Enterprise ID P1), Office 365 E3 Plan, or Office 365 Business Premium subscription.

Another choice is to get a FIDO2 key or a FIDO2-compliant pass for each user. If you encounter any difficulties while setting up MFA using these methods, feel free to reach out to us for assistance.

What is Zero Trust?

Zero Trust is a network security concept and architectural approach that challenges the traditional perimeter-based security model. In a Zero Trust model, trust is never assumed, regardless of whether a user or device is inside or outside the corporate network. Instead, every request for access to resources is carefully verified and authenticated before being granted, regardless of the user’s location.

The core principles of Zero Trust include:

  1. Verify and Authenticate: All users, devices, and applications attempting to access resources must be verified and authenticated before access is granted. This involves using strong identity verification methods like multi-factor authentication (MFA) to ensure the user’s identity.
  2. Least Privilege: Users and devices are granted the least amount of privileges necessary to perform their tasks. This principle ensures that even if a user’s credentials are compromised, an attacker’s access to sensitive resources is limited.
  3. Micro-Segmentation: The network is divided into smaller, isolated segments or zones to reduce the potential impact of a security breach. Each segment has its own security policies and controls, and communication between segments is strictly regulated.
  4. Continuous Monitoring: Continuous monitoring and analysis of user behavior, device health, and network traffic help detect anomalies and potential security threats in real-time.
  5. Access Controls: Granular access controls are applied based on user identity, device health, and other contextual information. Access decisions are dynamically made based on this context.
  6. Encryption: Data in transit and at rest is encrypted to protect sensitive information from unauthorized access.
  7. Assume Breach: Zero Trust operates on the principle of “assume breach.” Instead of relying solely on prevention, the architecture assumes that threats are already inside the network and focuses on detection, containment, and response.

Zero Trust architecture is particularly relevant in today’s distributed and cloud-based environments, where the traditional perimeter-based security model is no longer sufficient to protect against sophisticated cyber threats. By adopting a Zero Trust approach, organizations can strengthen their security posture, reduce the attack surface, and improve the overall resilience of their network against modern cyber threats.

HTTPS Cipher Mismatch Error

The “cipher mismatch error” typically occurs in the context of secure internet connections when there is a mismatch between the encryption algorithms supported by the client (usually a web browser) and the server it is trying to connect to. This issue prevents the establishment of a secure and encrypted connection, leading to an error message being displayed to the user.

Besides network error, common cause could be due to outdated web browser, outdated server SSL/TLS Configuration, server misconfiguration, expired SSL/TLS certificates and incompatible cipher suites.

Much has changed since 2021 after the disabling of support for TLS1.1. Many modern browsers no longer support any SSL/TLS version prior to 1.2.

connection not secure

There may be reason that you would want access to an old router or firewall, to access some old configuration, to backup config or check network info.

enabling tls 1.0

You may need to enable TLS 1.0, TLS 1.1 and for even older router SSL protocols in order to access the router’s web admin portal. Just remember to reverse the process once you’re done.

click error

You may also need to use Internet Explorer (no longer available in Windows 11) as all newer versions of Chrome/Firefox/Opera do not support the older protocols.

If you’re insistent on not using IE, you may need to look for versions prior to Chrome 84, Edge 84, Firefox 78, & Safari 14 in order for TLS 1.0 to work.

Malicious Linux Trojan Exploits WordPress Vulnerabilities to Hack Websites

Doctor Web, an anti-virus company, has uncovered a malicious Linux program called Linux.BackDoor.WordPressExploit.1 that targets websites using WordPress CMS. The malware exploits 30 vulnerabilities found in various plugins and themes for WordPress. If websites are using outdated versions of these add-ons without crucial fixes, the malware injects malicious JavaScript into their pages. This results in users being redirected to other websites when they click on any area of the attacked page.

The trojan is remotely controlled by cybercriminals, allowing them to attack specified websites, switch to standby mode, shut itself down, and pause logging its actions. It primarily focuses on hacking WordPress-based websites and injecting malicious scripts into their webpages by using known vulnerabilities in plugins and themes. The trojan collects statistics on its attacks and reports back to the C&C (command and control) server.

Additionally, Doctor Web discovered an updated version of the trojan called Linux.BackDoor.WordPressExploit.2, which has some differences in C&C server address and the list of exploited vulnerabilities.

To protect against this threat, website owners are advised to keep their WordPress platform and all its components, including third-party add-ons and themes, up-to-date. Strong and unique logins and passwords should also be used for website accounts.

WordPress plugins vulnerable are unpatched version of:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

Worry about insufficient IT security? Protect your corporate network with Dr Web Security Suite now.

Apple released “Rapid Response” patch to fix a second zero-day

Apple released an emergency bug fix, known as the Rapid Response patch, to address a web-browsing security hole used in real-world spyware attacks. The bug, identified as CVE-2023-37450, could lead to arbitrary code execution and had reportedly been actively exploited. The attack involved a look-and-get-pwned technique, where simply viewing a malicious web page could invisibly implant malware on the device without clicking or approving any pop-ups.

The update fixed the WebKit bug and another kernel-level code execution bug, identified as CVE-2023-38606. These updates were released for various Apple operating systems, including iOS, iPadOS, macOS, tvOS, and watchOS.

Users are advised to promptly download and install these updates to protect against known and potential exploits. Additionally, these updates addressed other cybersecurity flaws, including elevation-of-privilege bugs and data leakage flaws. It is crucial to keep Apple devices up to date to safeguard against current and future threats.

Microsoft’s Report on Storm-0558 Cyberattack and Mitigation Measures

Microsoft published a report called “Analysis of Storm-0558 techniques for unauthorized email access.” The report revealed a cyberattack on approximately 25 organizations, including government agencies and consumer accounts in the public cloud. Although only 25 organizations were attacked, it could have affected many individuals as some government bodies employ a large number of people.

The attack exploited two security flaws in Microsoft’s back-end operations, which the company could fix internally without requiring client-side software updates. The attack used unauthorized access to victims’ Exchange data via Outlook Web Access (OWA) using illicitly acquired authentication tokens.

The attackers managed to use fraudulent email interactions to sneak into the victims’ systems, indicating they had compromised the process of creating authentication tokens. They were able to generate fake authentication tokens that passed Microsoft’s security checks, leading to unauthorized access.

Microsoft’s threat hunters identified the attack’s nature and concluded that the affected customers’ list is exhaustive. They have taken measures within their cloud service to address the issues and disown stolen signing keys.

For those not contacted by Microsoft, it is likely they were not affected. However, those involved in IT should remember the importance of applied cryptography, security segmentation, and thorough threat hunting to ensure comprehensive cybersecurity.

Malwares & Security News