Chinese hackers exploited a Fortinet vulnerability to infect 20,000 systems worldwide

Chinese-sponsored hackers gained access to 20,000 Fortinet FortiGate systems worldwide between 2022 and 2023 by exploiting a known critical security flaw.

The campaign targeted dozens of Western governments, international organisations and a large number of defence industry companies.

“The state actor behind this campaign knew about this vulnerability in FortiGate systems for at least two months before Fortinet disclosed the vulnerability. During this zero-day period, this actor infected 14,000 devices.” said the Dutch National Cyber Security Centre (NCSC) in a new bulletin.

The findings follow an earlier report in February 2024 that said attackers penetrated a computer network used by the Dutch armed forces by exploiting CVE-2022–42475 (CVSS score: 9.8), which allows remote code execution.

The attack opened the way for the deployment of a backdoor, codenamed COATHANGER, which provided persistent remote access to compromised devices and served as a launching point for further malware.

This latest event again highlights the ongoing trend of cyber attacks targeting edge elements to breach networks of interest.

London hospitals cancel more than 800 operations after ransomware attack

NHS England announced today that several London hospitals hit by the Synnovis ransomware attack last week have been forced to cancel hundreds of planned operations.

“Figures for the first week after the attack (3–9 June) show that more than 800 planned operations and 700 outpatient appointments had to be rearranged at the two worst affected hospitals — King’s College Hospital and Guy’s and St Thomas’ -” the NHS said.

Synnovis is focusing on the technical recovery of the system and plans to begin restoring some of the functionality of its IT system in the coming weeks. However, the full technical recovery will take some time.

Affected hospitals are currently unable to match patient blood at the same frequency as usual. For operations and procedures that require the use of blood, hospitals must use type 0 blood because it is safe for all patients.

In the coming weeks, more units of these blood types than usual will be needed to support the continued safe operation of hospitals.

Microsoft fixes critical vulnerability and zero-day vulnerability

Microsoft has disclosed updates for 51 vulnerabilities, one of which has been marked as “critical”.

The vulnerability(CVE-2024–30080) is a remote code execution (RCE) flaw in Microsoft Message Queuing (MSMQ) and Microsoft has assigned it a CVSS score of 9.8, describing its exploitation as “more likely”.

“Microsoft recommended disabling the service until an update can be installed.”

A search on Shodan revealed more than one million guests with port 1801 open and more than 400,000 results for ‘msmq’.” Given that this is an RCE vulnerability, I would expect this vulnerability to be actively exploited in the near future.

The zero-dat vulnerability, which was disclosed in February, is a DNSSEC protocol-level vulnerability.

“The vulnerability exists in DNSSEC validation, which can allow an attacker to exploit standard DNSSEC protocols designed for DNS integrity by leveraging excessive resolver resources and causing denial of service to legitimate users,” explained Diksha Ojha, developer at Qualys.

Various DNS implementations including BIND, PowerDNS and Unbound have already patched this vulnerability.

“The CVE-2023–50868 report released today does not provide further information on why this vulnerability was not patched earlier,” said Adam Barnett, Rapid7’s senior software engineer.

Bugs in Netgear WNR614 router allow device takeover, fix not available

Researchers have found half a dozen vulnerabilities of varying severity affecting the Netgear WNR614 N300, a low-cost router that has proven popular among home users and small businesses.

The device has reached end of life (EoL) and is no longer supported by Netgear, but its reliability, ease of use and performance make it an ever-present in many environments.

RedFox Security researchers discovered six vulnerabilities in the router, ranging from authentication bypass and weak password policies to password plaintext storage and Wi-Fi Protected Setup (WPS) PIN disclosure.

CVE-2024–36787: allows an attacker to bypass authentication and gain access to the management interface. The vulnerability allows unauthorized access to router settings, posing a serious threat to network security and sensitive user data.

CVE-2024–36788: the router has an incorrectly set HTTPOnly flag for cookies. An attacker can exploit this vulnerability to intercept and gain access to sensitive communications between the router and devices that connect to it.

CVE-2024–36790: the router stores login credentials in plaintext, making it easy for an attacker to gain unauthorized access, tamper with the router, and expose sensitive data.

CVE-2024–36792: the implementation of the Wi-Fi WPS feature allows attackers to gain access to the router’s PIN.

Since the router has reached the EoL level, Netgear is not expected to release security updates for these vulnerabilities. Users who still rely on the Netgear WNR614 should consider replacing it with a model that is actively supported by the manufacturer and provides better security.

Arm warns of actively exploited Zero-Day vulnerability in GPU drivers

Arm warns of a security vulnerability in the Mali GPU kernel driver that it says has been actively exploited.

The issue is tracked as CVE-2024–4610 and affects the following products.

Bifrost GPU kernel driver (all versions from r34p0 to r40p0)
Valhall GPU Kernel Driver (all versions from r34p0 to r40p0)
“An unprivileged user can perform GPU memory processing operations to access already released memory,” the company said last week

The vulnerability has been resolved in the Bifrost and Valhall r41p0 GPU kernel drivers.

Previously disclosed zero-day vulnerabilities in the Arm Mali GPU — CVE-2022–22706, CVE-2022–38181 and CVE-2023–4211 — have been exploited by commercial spyware vendors to launch highly targeted attacks on Android devices, with the exploitation of the latter vulnerability linked to Italian company Cy4Gate.

Users of the affected products are advised to update to the relevant version to protect themselves against potential threats.

Zajímáte se o kybernetickou bezpečnost? Podívejte se na další díly našeho týdeníku Bezpečnostní neděle.