FortiGuard Labs | FortiGuard Center - Outbreak Alerts

Palo Alto Networks has recently disclosed two zero-day vulnerabilities, CVE-2024-0012 and CVE-2024-9474, affecting the PAN-OS firewall and other products. Both flaws, which are actively being exploited in the wild, affect the Management Web Interface. Successful exploitations allows attackers to bypass authentication and gain administrator-level access without any user interaction.

FortiGuard Labs continues to observe attack attempts targeting the recent Apache OFBiz vulnerabilities (CVE-2024-38856, CVE-2024-45195 and CVE-2024-36104) that can be exploited by threat actors through maliciously crafted unauthorized requests, leading to the remote code execution.

FortiGuard Labs has observed attack attempts aimed at PTZOptics cameras, with FortiGuard sensors detecting telemetry from as many as 4,000 devices. This surge in activity highlights the vulnerabilities present in these devices, which can be easily exploited by attackers seeking unauthorized access, potentially leading complete camera takeover, infection with bots, pivoting to other devices connected on the same network, or disruption of video feeds.

Threat actors chained and exploited multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance). If successful, this could lead an attacker to gain admin access, obtain credentials, bypass security measures, run arbitrary SQL commands, and execute code remotely.

Security flaws in Mitel MiCollab, CVE-2024–35286, CVE-2024–41713, and an arbitrary file read zero-day (still without a CVE number) have been found, putting many organizations at risk. These vulnerabilities allow attackers to bypass authentication and access files on affected servers, revealing sensitive information that could expose organizations to serious security risks.

FortiGuard Labs has detected on-going exploit attempts targeting a recently patched Apache Struts 2 vulnerability. Attackers can manipulate file upload parameters to enable path traversal, potentially leading to malicious file upload. This may result in Remote Code Execution, allowing attackers to run arbitrary code, steal data, or compromise entire systems.

Due to the insufficient input validation, an attacker can exploit the vulnerability to launch a command injection attack by sending crafted messages with malicious commands.

FortiGuard Labs continues to observe attack attempts exploiting the vulnerabilities highlighted in the recent CISA advisory about Russian military cyber actors. These actors are targeting U.S. and global critical infrastructure to conduct espionage, steal data, and compromise or destroy sensitive information.

FortiGuard Labs observed "Critical" level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023. The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds.

FortiGuard network sensors detect attack attempts targeting the Progress Kemp LoadMaster. Successful exploitation of the CVE-2024-1212 vulnerability allows unauthenticated remote attackers to access the system through the management interface, potentially leading to data breaches, service disruptions, or further attacks

FortiGuard sensors continue to detect and block attack attempts targeting the Palo Alto Expedition vulnerabilities that could allow attackers to take over administrative accounts, putting configuration secrets, credentials, and other imported data within Expedition at serious risk.

FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, potential impact to an organization's reputation and extortion.

Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server.

A remote code execution vulnerability affecting GeoServer is under active exploitation, with recent attack attempts observed on 40,000+ FortiGuard sensors. This vulnerability (CVE-2024-36401) is suspected to be exploited by the Earth Baxia APT group, as reported by FortiGuard Recon and the root cause of the vulnerability lies in the absence of proper input validation during request handling, posing a significant risk of system compromise upon successful exploitation.

Cyber threat actors target Jenkins Arbitrary File Read vulnerability (CVE-2024-23897) in ransomware attacks. FortiGuard Labs continues to see active attack telemetry targeting the vulnerability.

FortiGuard Labs continue to observe attack attempts targeting the recent ServiceNow Platform vulnerabilities (CVE-2024-4879, CVE-2024-5217, & CVE-2024-5178). When chained together, could lead to Remote Code Execution and potential data breaches with unauthorized system access.

FortiGuard Labs has observed significant level of exploitation attempts targeting the new PHP vulnerability. The TellYouThePass ransomware gang has been leveraging CVE-2024-4577, a remote code execution vulnerability in PHP to deliver web shells and deploy ransomware on targeted systems.

Widespread exploitation of zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways underway.

Attackers exploit a zero-day vulnerability affecting Check Point Security Gateways to gain remote access. The vulnerability can allow attackers to read sensitive information on Check Point Security Gateways enabled with remote Access VPN or Mobile Access Software Blades.

Multiple D-link device vulnerabilities are being actively targeted. Many of the Routers and NAS devices are end-of-life (EOL) D-Link devices that do not have any patches available.