Fortinet exploited zero-day: FG-IR-24-423 Missing authentication in fgfmsd
CVE-2024-47575 (9.8 critical, disclosed 23 October by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon) Fortinet FortiManager Missing Authentication Vulnerability.

  • Reports have shown this vulnerability to be exploited in the wild.
  • The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.

CISA added CVE-2024-47575 to the KEV Catalog about 3 hours afterward.

Just in case you didn't read closely, there are indicators of compromise (IoC) in the advisory. At least one of the IP addresses was reportedly used as a Cobalt Strike server 2 years ago.

cc: @cR0w @nopatience I require at least 25 favorites to unlock my next toot!

#fortinet #fortimanager #cve #zeroday #CVE_2024_47575 #vulnerability #eitw #activeexploitation #kev #cisakev #KnownExploitedVulnerabilitiesCatalog

Proofpoint: Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
Proofpoint reported on a Prince ransomware campaign impersonating British postal carrier Royal Mail that occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations’ websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms. Proofpoint notes that there’s no decryption mechanisms or data exfiltration, so the end result is destructive rather than typical ransomware. They describe the campaign details (from infection to ransom note) and include a bit about the ransomware creator SecDbg having a paid infostealer version called ThunderKitty. Proofpoint does not attribute this activity to a tracked threat actor. Indicators of compromise are provided.

Shoutout to @selenalarson for the awesome post