Fortinet confirms data leak

Global cybersecurity firm Fortinet has confirmed a data breach after a hacker claimed to have stolen 440GB of files from its Microsoft Sharepoint server. The hacker, going by the alias “Fortibitch”, claimed to have lifted the data from Fortinet’s Azure Sharepoint instance and shared credentials to an alleged S3 storage bucket where the stolen data resides. Fortinet is a prominent player in the cybersecurity industry, offering a range of secure networking products as well as broader solutions and consulting services.

Fortinet acknowledged that an individual did gain unauthorized access to a third-party cloud-based shared file drive, leading to the theft of customer data. However, the company did not reveal the number of customers affected or the nature of the compromised data. It stated that it had reached out directly to the impacted customers and shared that the hacker had unsuccessfully tried to extort the company before releasing the data.

The compromise affected less than 0.3% of Fortinet’s customer base and has not led to any malicious activity targeting customers, according to an update on the company’s website. The cybersecurity firm further confirmed that the data breach did not involve any data encryption, ransomware, or access to the company’s corporate network.

Fortinet faced a similar situation back in May 2023 when a threat actor claimed to have breached the GitHub repositories of the company Panopta, which was acquired by Fortinet in 2020. In the current incident, further queries from BleepingComputer about the breach have yet not elicited a response from Fortinet.

Chinese hackers use Visual Studio Code for cyber attacks

The Chinese advanced persistent threat (APT) group known as Mustang Panda has been exploiting the Visual Studio Code software in a series of cyberattacks on government entities in Southeast Asia. The group uses the software’s embedded reverse shell feature to gain access to target networks, a technique first utilized in September 2023. This latest campaign follows a previously documented attack targeting an unnamed Southeast Asian government entity in late September 2023. Since its formation in 2012, Mustang Panda has been involved in multiple cyber espionage campaigns, often targeting government and religious entities across Europe and Asia, especially in countries surrounding the South China Sea.

The group’s recent attacks have prominently used the reverse shell of Visual Studio Code to execute arbitrary code and deliver additional payloads. Tom Fakterman, a researcher at Palo Alto Networks Unit 42, explains that an attacker can use the portable version of code.exe, the executable file for Visual Studio Code, or an already installed version of the software for malicious purposes. After running the command, code.exe tunnel, the attacker gets a link that requires them to log into GitHub with their account. Subsequently, the attacker is redirected to a Visual Studio Code web environment connected to the infected machine, where they can run commands or create new files.

Dutch cybersecurity firm Mnemonic previously highlighted the misuse of this technique in relation to a now-patched vulnerability in Check Point’s Network Security gateway products early this year. Mustang Panda took advantage of this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. It is reported that the attacker also used OpenSSH to execute commands, transfer files, and spread across the network. A deeper analysis of the infected environment revealed an additional cluster of activity involving ShadowPad malware, a backdoor commonly used by Chinese espionage groups.

It remains unclear whether the two intrusion sets may be connected or if two different groups have gained access independently or collaboratively. Fakterman suggests that these activities could originate from a single threat actor, possibly Stately Taurus. However, he maintains that there are various plausible explanations for the connection, including a collaborative effort between two distinct Chinese advanced persistent threat actors. Despite the uncertainty, these multiple and simultaneous cyberattacks underscore the sophisticated and multi-pronged approaches utilized by cyber threat actors, with a growing focus on exploiting popular software products.

New RAMBO attack steals data from RAM in air-gap systems

A new type of side-channel attack, known as a ‘RAMBO’ (Radiation of Air-gapped Memory Bus for Offense) attack, has been developed that enables data theft from air-gapped computers. Developed by Israeli researchers, the attack targets systems that are intentionally isolated from the internet and other networks, such as those systems used in highly secure environments like governments, nuclear power stations, and weapon systems. The method involves planting malware on a computer, which can then manipulate the system’s RAM to facilitate secret data transfer. The process uses memory access patterns to generate electromagnetic emissions from the computer’s RAM.

The RAMBO procedure involves the malware collecting sensitive data for transmission. It manipulates read/write operations on the memory bus, producing controlled electromagnetic emissions from the device’s RAM; security products do not actively monitor this process and cannot flag or stop it. The data is composed of “1” and “0,” symbolised as “on” and “off” in radio signals in a process that uses the Manchester code to enhance error detection and maintain signal sync. Data interpretation errors at the receiver’s end are minimised in this method. A Software-Defined Radio (SDR) with an antenna intercepts the modulated electromagnetic emissions and converts them back into binary form.

Following real-time testing of the attack, the researchers found that keylogging could be carried out in real time, with a password taking between 0.1 to 1.28 seconds to steal. RAMBO can facilitate the theft of a small image within 25 to 250 seconds and a 4096-bit RSA key within 4 to 42 seconds, depending on the speed of transmission. Transmission speeds of up to 1,000 bits per second (bps) were achieved, with this rate equating to 128 bytes per second, or 0.125 KB/s. As such, the RAMBO attack is best suited to stealing small quantities of data.

The researchers provided several recommendations on potential mitigations for the RAMBO attack and similar ones. Recommendations included enhanced physical defense through strict zone restrictions, RAM jamming to disrupt covert channels at the source, and the use of Faraday enclosures to block air-gapped systems from emanating EM radiation externally. In addition, external EM jamming could be used to disrupt radio signals. These methods, however, do bring with them various overheads. The researchers have tested the RAMBO method against sensitive processes within virtual machines and found it to be effective, but various interactions with the host OS and other VMs could disrupt the attacks swiftly.

Adobe fixes Acrobat Reader zero-day

Adobe has fixed a serious vulnerability in Acrobat Reader that was first discovered in June by cybersecurity researcher Haifei Li using his platform, EXPMON. The flaw, tracked as CVE-2024-41869, is a critical “use-after-free” bug that can lead to remote code execution from specially crafted PDF documents. If this bug were exploited, a hacker could potentially inject malicious code into a targeted device. Users of Adobe Acrobat Reader are being urged to update their software to the latest version as it includes a patch for this vulnerability.

EXPMON is a sandbox-based platform built by Li specifically to identify complex threats such as zero-days or hard-to-detect exploits. Unlike other systems that focus on malware-detection perspective, EXPMON focuses on threats from the viewpoint of exploits and vulnerabilities, which allows for more advanced, or earlier, detection. The platform came across this particular vulnerability as it was examining a large number of samples submitted for analysis, one of which contained a proof-of-concept exploit exhibiting the bug.

After the vulnerability was discovered, Adobe was informed and released a security update in August. However, the flaw remained exploitable even after the update, prompting further work by Adobe’s security team. Subsequent testing showed that while additional dialogues were displayed by the patched Reader, the “use-after-free” bug could still be triggered and cause crashes if the user closed the dialogs – thereby highlighting that the bug hadn’t been fixed.

On September 11, 2024, Adobe released a new security update that rectified the bug. More details about the discovery and technical aspects of the flaw will be released by Li via EXPMON’s blog and in an upcoming report by Check Point Research. Users of Adobe Acrobat Reader are strongly advised to install the latest update to protect their systems from this vulnerability.

Microsoft Patch Tuesday fixes 4 zero-day vulnerabilities

Microsoft’s September 2024 Patch Tuesday has included fixes for a total of 79 flaws, among which are four zero-days. Of these, three are actively exploited vulnerabilities and one has been publicly disclosed. The Patch Tuesday addresses seven critical vulnerabilities, some facilitating remote code execution and others leading to an escalation of privileges. The flaws are spread across various aspects of the software with 30 associated with Elevation of Privilege Vulnerabilities, 4 with Security Feature Bypass Vulnerabilities, 23 with Remote Code Execution Vulnerabilities, 11 with Information Disclosure Vulnerabilities, 8 with Denial of Service Vulnerabilities, and 3 with Spoofing Vulnerabilities.

The zero-day vulnerabilities addressed include the CVE-2024-38014 Windows Installer Elevation of Privilege Vulnerability, which was found by Michael Baer with SEC Consult Vulnerability Lab. This loophole could have allowed an attack to gain SYSTEM privileges on Windows systems. Another is the publicly disclosed Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2024-38217), courtesy of Joe Desimone from Elastic Security. The flaw had been actively exploited since 2018, using a technique called LNK stomping that could bypass the Smart App Control and the Mark of the Web security warnings.

A vulnerability in Microsoft Publisher that was bypassing security protection against embedded macros in downloaded documents has also been fixed. Although the discloser of the flaw and the exploitation method remain undisclosed by Microsoft, it was noted that successful exploitation of the flaw would result in the bypass of Office macro policies used to block untrusted or malicious files. Additionally, Microsoft addressed the flaw labeled CVE-2024-43491, a zero-day that reintroduces older exploited flaws. This flaw only applies to Windows 10 version 1507, Windows 10 Enterprise 2015 LTSB, and Windows 10 IoT Enterprise 2015 LTSB editions.

The September 2024 Patch Tuesday also saw the release of updates from other companies such as Apache, Cisco, Eucleak, Fortinet, Google, and many more. Microsoft provided a complete list of all the resolved vulnerabilities in the updates. Among this list are issues affecting Azure CycleCloud, Azure Network Watcher, Azure Stack, and Azure Web Apps, among others. One of the critical fixes was for the Microsoft Windows Update Remote Code Execution Vulnerability (CVE-2024-43491) in the Windows Update package.