Fortinet exploited zero-day: FG-IR-24-423 Missing authentication in fgfmsd
CVE-2024-47575 (9.8 critical, disclosed 23 October by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon) Fortinet FortiManager Missing Authentication Vulnerability.

  • Reports have shown this vulnerability to be exploited in the wild.
  • The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.

CISA added CVE-2024-47575 to the KEV Catalog about 3 hours afterward.

Just in case you didn't read closely, there are indicators of compromise (IoC) in the advisory. At least one of the IP addresses was reportedly used as a Cobalt Strike server 2 years ago.

cc: @cR0w @nopatience I require at least 25 favorites to unlock my next toot!

#fortinet #fortimanager #cve #zeroday #CVE_2024_47575 #vulnerability #eitw #activeexploitation #kev #cisakev #KnownExploitedVulnerabilitiesCatalog

New regulations set out circumstances in which the Secretary of State can intervene in the running of internet domain registries for UK-related domains

This somewhat lengthy blogpost about The Internet Domain Registry (Prescribed Practices and Prescribed Requirements) Regulations 2024 is probably of most interest to people running domain registries, and domain registrars, for .uk, .scot, .wales., .cymru, and .london.

To be honest, until yesterday, I had no idea that the Secretary of State had these kind of powers...

https://decoded.legal/blog/2024/10/new-regulations-set-out-circumstances-in-which-the-secretary-of-state-can-intervene-in-the-running-of-internet-domain-registries-for-uk-related-domains

British intelligence services to protect all UK schools from ransomware attacks:

https://therecord.media/uk-pdns-schools-cyberdefense-intelligence-services

Direct link to #NCSC announcement: https://www.ncsc.gov.uk/blog-post/pdns-for-schools-provide-cyber-resilience-for-more-institutions

@douglevin @funnymonkey @mkeierleber @brett @brianhonan

For several days, robot vacuums in several U.S. cities were hacked, with perpetrators physically controlling them and shouting obscenities through their built-in speakers.

The cyberpunk world we live in.

https://www.abc.net.au/news/2024-10-11/robot-vacuum-yells-racial-slurs-at-family-after-being-hacked/104445408

Proofpoint: Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
Proofpoint reported on a Prince ransomware campaign impersonating British postal carrier Royal Mail that occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations’ websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms. Proofpoint notes that there’s no decryption mechanisms or data exfiltration, so the end result is destructive rather than typical ransomware. They describe the campaign details (from infection to ransom note) and include a bit about the ransomware creator SecDbg having a paid infostealer version called ThunderKitty. Proofpoint does not attribute this activity to a tracked threat actor. Indicators of compromise are provided.

Shoutout to @selenalarson for the awesome post

One thing that really sucks about me leaving Twitter/X and losing so much of my audience and reach is that I can watch in real time the people who my generation and older in infosec all knew were abusers, harassers, and generally really dangerous people being forgotten as such, and our warnings not being passed on to the younger generation.

Those same bad dudes are absolutely noticing they're in the clear, and coming right back into the conference, X, and education spaces where they can victimize young people, especially young women. They have the age, the money, and the power to do it. It really blows.

I'm sure it's exactly what Elon wanted.

Here is a traffic distribution system (TDS) in action. Fairly often when talking about TDS, I get the rebuttal: when i visited that domain, i only saw parking. Exactly. That's the point. :) A malicious TDS is like a router for malware -- the goal is to bring the best victims to the best malicious offering. And to play dead when it looks like they might be caught, aka look like parking or search ads.

What these images show is the difference between visiting the site tokclix[.]live from a scanner (urlscan) versus from a real Android phone. The former leads you to (sketchy) search arbitrage and the latter is classic scareware. This is what a TDS does.

Found this particular one while researching search arbitrage so it is fairly random. started with an old post on BlackHat World but the domains were all still live. On the screen capture you can see the redirects through the TDS.

The imgur video shows the original click to scareware -- watch the redirects.

#InfobloxThreatIntel #tds #dns #malware #threatintel #cybercrime #cybersecurity #infosec #scam #phishing

Really looking forward to explaining to my kid that his PII has been compromised for basically his entire life because he had the audacity to be born at a time when the positive incentives for computer security were nearly nonexistent and the regulatory penalties favored doing the bare minimum you can get away with.

Can confirm localsend.org works perfectly between Desktop Linux, Apple iOS & Android (LineageOS).

The cute & funny generated device names help a lot in acceptance of this tech by non-tech people.

Have not looked at the code yet, so no info on security as of now. Maybe some #Dart & #CyberSecurity gurus want to have a look & gift localsend & the #OpenSource community with a free audit? 😄

Anyone tried https://localsend.org already as a replacement for Apple's airdrop?

I'm especially interested in cross-platform usage experience. E.g. Apple <--> Linux & Android <--> Apple/iOS. Target group is teens & schools.

Also, how secure is this solution?

Feel free to boost this :)

Thanks in advance!

NEW: Details of people's therapy sessions—including reports, video and audio recordings—have been exposed by a healthcare company.

These included people mentioning sexual abuse and highly sensitive subjects. The exposed database has now been closed down

The city of Columbus Ohio got hacked by a ransomware gang, they didn't pay the ransom so the gang released half of the stolen data which included secret police and prosecutor files. The leak exposed countless victims, witness and confidential informants personal info and communications with the city.

The city claimed NO info was leaked. A cyber security enthusiast went to the media and proved otherwise.

https://www.bleepingcomputer.com/news/security/researcher-sued-for-sharing-data-stolen-by-ransomware-with-media/

🤬 City of Columbus sues man after he discloses severity of ransomware attack
— Ars Technica

“Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so,” city attorneys wrote. “The dark web-posted data is not readily available for public consumption. Defendant is making it so.”

https://arstechnica.com/security/2024/08/city-of-columbus-sues-man-after-he-discloses-severity-of-ransomware-attack/

From the vault...

#InfoSec tip by @jerry

Click on a bunch of small links throughout the day to build up virus immunity.

A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many to disregard the vulnerability, which may have resulted in unpatched systems that remain vulnerable.

"I would like to remind you that as a researcher using the BugCrowd platform to submit this issue you are bound by the BugCrowd standard disclosure terms and you may not blog or disclose any information on the exploitation of this vulnerability."

I were to follow these rules, it would mean that countless of client systems could remain vulnerable to this critical vulnerability.

I’ve mostly had good experiences with bug bounty programs before this incident. Sure, I’ve had some disagreements at times, but I’ve never seen a program being abused like this before.

I just discovered that I can bypass the SSN / DL requirement on Georgia's #voter deregistration (wtf?) page at https://cancelmyregistration.sos.ga.gov/s/

All an attacker needs is name, county of residence, and birthdate.