9.8
CVSSv3

CVE-2018-13379

Published: 04/06/2019 Updated: 03/06/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 523
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated malicious user to download system files via special crafted HTTP resource requests.

Most Upvoted Vulmon Research Post

Fortinet FortiOS Path Traversal Retrieving plaintext credentials: https://localhost/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fortinet fortios

Exploits

# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E Vieira # Vendor Homepage: wwwfortinetcom/ # Software Link: wwwfortinetcom/products/fortigate/fortioshtml # Version: This vulnerability affect ( For ...
# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E Vieira # Vendor Homepage: wwwfortinetcom/ # Software Link: wwwfortinetcom/products/fortigate/fortioshtml # Version: This vulnerability affect ( For ...

Mailing Lists

FortiOS versions 563 through 567 and 600 through 604 suffer from a credential disclosure vulnerability ...
This Metasploit module exploits FortiOS versions 563 through 567 and 600 through 604 to leverage a credential disclosure vulnerability by reading the /dev/cmdb/sslvpn_websession file ...

Github Repositories

CVE-2018-13379 Script for Nmap NSE.

cve2018-13379-nmap-script CVE-2018-13379 Script for Nmap NSE

CVE-2018-13379-FortinetVPN An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 600 to 604, 563 to 567 and 546 to 5412 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests

FG-IR-18-384 (CVE-2018-13379) Exploitation Tool Exploit allowing for the recovery of cleartext credentials This tool is provided for testing purposes only Only run it against infrastructure for which you have recieved permission to test Headnod to those who discovered the exploit, more information by the researcher can be found here: blogorangetw/2019/08/attacking-

Credenciais_de_acesso_Fortinet Script para a CVE-2018-13379, retorna credenciais de acesso vpn em texto claro Permissão de execução: $ sudo chmod +x Fortinetsh Executar script (Obs: é necessário que haja uma lista previa de ipstxt, onde serão varridas apenas as portas 10443) /Fortinetsh

FortiFuck-Checker Tool written in Bash script to check CVE-2018-13379 Usage: -h Get this help message -t Insert a valid IP Address to check IP:port -l Provide a path to a file containing a list of IPs, one per line IP:port -c Provide a country name if you're interested in a specific country's IPs -o Output filename

Fortinet FortiOS路径遍历漏洞 (CVE-2018-13379)批量检测脚本

使用方法&免责声明 该脚本为Fortinet FortiOS路径遍历漏洞 (CVE-2018-13379)批量检测脚本。 使用方法:Python CVE-2018-13379py urltxt 漏洞地址输出在vultxt中 影响版本: Fortinet FortiOS 563 - 567、600 - 604 版本中的SSL VPN 受此漏洞影响。 漏洞源于该系统未能正确地过滤资源或文件路径中的

CVE-2018-13379 CVE-2018-13379 Module for Router Scan Project How To Use prepare pip3 install time,threading,ipcalc,requests usage python3 exppy -f [listtxt] Copyright some part of this repository that send tcp response is partly forked from milo2012/CVE-2018-13379 with some changes for APIs of Router Scan Project

CVE-2018-13379-FortinetVPN An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 600 to 604, 563 to 567 and 546 to 5412 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests detect-fortinetsh = Check if the host is running Fortinet VP

Extract Useful info from SSL VPN Directory Traversal Vulnerability (FG-IR-18-384)

FG-IR-18-384 (CVE-2018-13379) Exploitation Tool Exploit allowing for the recovery of cleartext credentials This tool is provided for testing purposes only Only run it against infrastructure for which you have recieved permission to test Headnod to those who discovered the exploit, more information by the researcher can be found here: blogorangetw/2019/08/attacking-

Fortiscan (CVE-2018-13379) Exploitation Tool You can use this tool to check the vulnerability in your FortiGate SSL-VPN service wwwfortiguardcom/psirt/FG-IR-18-384

CVE-2018-13379 Exploit

FortiOS-Credentials-Disclosure CVE-2018-13379 Exploit Usage : python CVE-2018-13379py listtxt

Archiving Leaked samples from Different sources for Different Uses

Vault6 SunBurst : FireEye Tools Supernova_webshell_backdoor APT_Dropper APTs Android Malware Collection : Anubis Source Dendroid Source Leaks : Readmetxt (Mega/Torrent Linksfiles) WinXp_Source WinServer_Source Intel_Leak Nissan_Leak CVE-2018-13379

Cring-Ransomware RELATED IOCs, MITIGATION STEPS AND REFERENCE LINKS Common Vulnerabilities and Exposures (CVE) : (CVE-2018-13379 )Fortinet FortiOS, (CVE-2010-2861)-Adobe ColdFusion flaw IOCs(Indicators of compromise) SHA-256 f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8 e687308cd4184e17c33fa9e44686e7d6a4d73adf65f7fb3cac9c4ad765b4ffdf 771a680f9a09a7a73ac2678f3

-Infiltration-summary 平时工作总结 navicat连接本地mysql数据库 ALTER USER 'root'@'localhost' IDENTIFIED BY 'password' PASSWORD EXPIRE NEVER; ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password'; 远控学习:githubcom/TideSec/BypassAntiVirus 轻型目录访问协议

Conti-Ransomware RELATED IOCs, MITIGATION STEPS AND REFERENCE LINKS Common Vulnerabilities and Exposures : Firewall Vulnerabilities CVE-2018-13379, CVE-2018-13374, gather foothold using Cobalt strike IOCs (Indicators of compromise) BazarLoader 642276992|443 1613515592|443 16135147110|443 642276560|443 Loader download millscruelgcom 459511133|80 Cobalt Strike vol

CVE-2018-13379-CVE-2020-12812-CVE-2019-5591 A full-fledged exploit for CVE-2018-13379-CVE-2020-12812-CVE-2019-5591 and not only with a powershell parser Any evidence satoshidiskcom/pay/CEidm7 code Stop-Transcript -ErrorAction SilentlyContinue $logname = (Get-Date -Format hhmmss_ddMM) + "_megaloglog" Start-Transcript $logname //SECTION Предскри

A curated list of my functional exploits...

Public-Exploits A curated list of my functional exploits About Public exploits (re)writed for learning purpose or pentesting / red teaming assessments Contents Centreon Centreon Web CVE-2015-1560, CVE-2015-1561 | Centreon Web Time-Based Blind SQLi to RCE Fortinet Fortigate CVE-2018-13379 | Fortigate SSL-VPN Credentials Stealer CVE-2018-13382 | Fortigate SSL-VPN

Dorks for Google, Shodan and BinaryEdge

Dorks are cool Dorks for Google, Shodan and BinaryEdge Only for use on bug bounty programs or in cordination with a legal security assesment I am in no way responsible for the usage of these search queries Be responsible thanks - wwwbugcrowdcom/resource/what-is-responsible-disclosure/ This repository is "under construction" feel free to make pull requests

A curated list of my functional exploits...

Public-Exploits A curated list of my functional exploits About Public exploits (re)writed for learning purpose or pentesting / red teaming assessments Contents Centreon Centreon Web CVE-2015-1560, CVE-2015-1561 | Centreon Web Time-Based Blind SQLi to RCE Fortinet Fortigate CVE-2018-13379 | Fortigate SSL-VPN Credentials Stealer CVE-2018-13382 | Fortigate SSL-VPN

REvil Ransomware Realated IOCs , Mitigation steps and References Common Vulnerabilities and Exposures: CVE-2018-13379, CVE-2019-2725, CVE-2019-11510, CVE-2021-30116 IOCs 18[]223[]199[]234 161[]35[]239[]148 193[]204[]114[]232 dsagovbd/documents/magazine-document_89046_2021-02-28pdf wwwtrendmicrocom/vinfo/us/security/news/ransomware-spotlight/ransomw

Fortigate VPN: CVE-2018-13379: Pre-auth arbitrary file reading En el año 2019 se notificaron de vulnerabilidades a los productos de la empresa Fortinet, reportados por los investigadores niph_ y ramoliks los cuales fueron los CVE: CVE-2018-13379: Pre-auth arbitrary file reading CVE-2018-13380: Pre-auth XSS CVE-2018-13381: Pre-auth heap overflow CVE-2018-13382: The magic

little-log-scan - Scan log files for suspicious strings Small tool that scans log files for suspicious strings Intended for webserver logs, but usable with any text-based log file Lines are read from standard input, and any matches are written to standard output Usage Through npx: npx little-log-scan [options] Through npm: npm install little-log-scan && npm

Dataset info & mapping In this repository we provide a full list of all events that were included in the Dataset, and provide the event mappings to expert rules for both the AlienVault and Sigma rules Overview This repository contains the following: eventstxt, a txt file listing all events This full list is also shown in the Section Events below mappings, a direct

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

cisa_AA22-011A Test Cases - Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include: CVE-2018-13379 FortiGate VPNs CVE-2019-1653 Cisco router CVE-2019-2725 Oracle WebLogic Server CVE-2019-7609 Kibana CVE-2019-9670 Zimbra software CVE

Welcome to Goby Goby is a new generation network security assessment tool It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise Goby can also quickly penetrate the company intranet based on a company's vulnerabilities exposed to the Internet We strive for Goby to become a more vita

Security Matters 2022 Resource List Overview Collection of resources for defending against current threat lanscape trends and improving security knowledge Table of Contents Security Matters 2022 Resource List Overview Common Attack Tools Most Common Attack Tool List Defenses Supply Chain Attacks Well Known Supply Chain Attacks Defenses Vulnerability Exploitation Known

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

pocassist database 介绍 本项目为 pocassist 的 sqlite 数据库文件。 poc 更新日志 2021-6-16 漏洞类型 漏洞编号 漏洞名称 SQL 注入 poc-10001 zzcms sql注入 SQL 注入 poc-10007 phpshe 17 sql注入 SQL 注入 poc-10012 Metinfo 任意文件读取漏洞 SQL 注入 poc-10013 FineCMS 5010 任意sql执行 SQL 注入 poc-10015 Joomla Compone

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Community curated list of template files for the nuclei engine to find security vulnerability and fingerprinting the targets.

Templates are the core of nuclei scanner which power the actual scanning engine This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community We hope that you also contribute by sending templates via pull requests and grow the list Template Directory ├── LICENSE ├── READMEmd ├── basic-dete

主流供应商的一些攻击性漏洞汇总 网络安全专家 @Alexander Knorr 在推特上分享的一些有关于供应商的一些 CVE 严重漏洞,详情,仅列出了 CVE 编号,无相关漏洞详情。所以在分享的图片基础上进行新增了漏洞 Title,官方公告,漏洞分析,利用代码,概念证明以及新增或删减了多个CVE等,另外

Nuclei Templates Templates are the core of nuclei scanner which power the actual scanning engine This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community We hope that you also contribute by sending templates via pull requests or Github issue and grow the list Resources Templates Documentation Contr

Nuclei Templates Templates are the core of nuclei scanner which power the actual scanning engine This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community We hope that you also contribute by sending templates via pull requests or Github issue and grow the list Resources Templates Documentation Contr

Customized templates originally pulled from `projectdiscovery/nuclei-templates`

Nuclei Templates Templates are the core of nuclei scanner which power the actual scanning engine This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community We hope that you also contribute by sending templates via pull requests or Github issue and grow the list Resources Templates Documentation Contr

Kenzer Templates [1289] TEMPLATE TOOL FILE favinizer favinizer favinizeryaml CVE-2017-5638 jaeles jaeles\cvescan\critical\CVE-2017-5638yaml CVE-2017-6360 jaeles jaeles\cvescan\critical\CVE-2017-6360yaml CVE-2017-6361 jaeles jaeles\cvescan\critical\CVE-2017-6361yaml CVE-2017-9841 jaeles jaeles\cvescan\critical\CVE-2017-9841yaml CVE-2018-16763 jaeles jaeles\

2020年发布到阿尔法实验室微信公众号的所有安全资讯汇总

欢迎关注阿尔法实验室微信公众号 20201231 [漏洞] 2020年增加的10个最严重的CVE blogdetectifycom/2020/12/30/top-10-critical-cves-added-in-2020/ Chromium RawClipboardHostImpl中的UAF漏洞 bugschromiumorg/p/chromium/issues/detail?id=1101509 [工具] Sarenka:OSINT工具,将来自shodan、censys等服务的数据集中在一处

TEMPLATE TOOL FILE favinizer favinizer favinizeryaml CVE-2017-5638 jaeles jaeles\cvescan\critical\CVE-2017-5638yaml CVE-2017-6360 jaeles jaeles\cvescan\critical\CVE-2017-6360yaml CVE-2017-6361 jaeles jaeles\cvescan\critical\CVE-2017-6361yaml CVE-2017-9841 jaeles jaeles\cvescan\critical\CVE-2017-9841yaml CVE-2018-16763 jaeles jaeles\cvescan\critical\CVE-2018-1

SecBooks 各大文库公众号文章收集,部分文库使用gitbook部署;部分公众号使用杂散文章为主。 使用插件 "hide-element", "back-to-top-button", "-lunr", "-search", "search-pro", "splitter" #目录自动生成插件(book sm) npm install -g gitbook-summ

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Recent Articles

Microsoft blocks Polonium hackers from using OneDrive in attacks
BleepingComputer • Sergiu Gatlan • 02 Jun 2022

Microsoft said it blocked a Lebanon-based hacking group it tracks as Polonium from using the OneDrive cloud storage platform for data exfiltration and command and control while targeting and compromising Israelian organizations.
The company also suspended more than 20 malicious OneDrive applications used in Polonium's attacks, notifying the targeted organizations and quarantining the threat actors' tools via security intelligence updates.
Throughout the attacks that mainly targeted I...

Ransomware: How Attackers are Breaching Corporate Networks
Symantec Threat Intelligence Blog • Karthikeyan C Kasiviswanathan Vishal Kamble • 28 Apr 2022

Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

Posted: 28 Apr, 20228 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinRansomware: How Attackers are Breaching Corporate NetworksLatest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most freq...

The Threat Landscape in 2021
Symantec Threat Intelligence Blog • Threat Hunter Team • 19 Jan 2022

Symantec takes a look at the cyber security trends that shaped the year

Posted: 19 Jan, 20226 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinThe Threat Landscape in 2021Symantec takes a look at the cyber security trends that shaped the yearFrom the evolving ransomware ecosystem to attacks against critical infrastructure, Symantec looks back over the cyber-security trends that shaped 2021.

A new whitepaper from Symantec, a division of Broadcom Software, takes a look back at the some of t...

Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns
Threatpost • Lisa Vaas • 17 Nov 2021

A state-backed Iranian threat actor has been using multiple CVEs – including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks – looking to gain a foothold within networks before moving laterally and launching BitLocker ransomware and other nastiness.
A joint advisory published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructur...

Emails, chat logs, more leaked online from far-right militia linked to US Capitol riot
The Register • Iain Thomson in San Francisco • 28 Sep 2021

Get our weekly newsletter Plus: Other infosec news from this month

In brief Emails, chat logs, membership records, donor lists and other files siphoned from a far-right anti-government self-styled militia were leaked online on Monday, it appears.
Some 5GB of data belonging to the Oath Keepers ‒ at least four of whom have been indicted for and admitted their role in the January 6 storming of the US capitol – was passed to the DDoSecrets Collective and shared online. The membership list contains accounts with 160 US government and military email address...

Researchers compile list of vulnerabilities abused by ransomware gangs
BleepingComputer • Sergiu Gatlan • 18 Sep 2021

Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims' networks.
All this started with
, a member of Recorded Future's CSIRT (computer security incident response team), on Twitter over the weekend.
Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different s...

Thousands of Fortinet VPN Account Credentials Leaked
Threatpost • Lisa Vaas • 09 Sep 2021

Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has confirmed.
Or then again, maybe the number is far greater. On Wednesday, BleepingComputer reported that it’s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.
The news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 de...

Patch now? Why enterprise exploits are still partying like it's 1999
The Register • Davey Winder • 08 Sep 2021

Get our weekly newsletter Am I only dreaming, or is this burning an Eternal Blue?

Some vulnerabilities remain unreported for the longest time. The 12-year-old Dell SupportAssist remote code execution (RCE) flaw – which was finally unearthed earlier this year – would be one example.
Others, however, have not only been long since reported and had patches released, but continue to pose a threat to enterprises. A joint advisory from the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), published in late July, liste...

FBI: APT hackers breached US local govt by exploiting Fortinet bugs
BleepingComputer • Sergiu Gatlan • 27 May 2021

The Federal Bureau of Investigation (FBI) says state-sponsored attackers breached the webserver of a U.S. municipal government after hacking a Fortinet appliance.
"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a 
 published today.
After gaining access to the local government organization's server, the advanced persistent th...

Iranian hacking group targets Israel with wiper disguised as ransomware
BleepingComputer • Sergiu Gatlan • 25 May 2021

An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks while maintaining access to victims' networks for months in what looks like an extensive espionage campaign.
The threat actor, tracked as 
 by SentinelLabs researchers, has targeted Israel starting with December 2020.
"Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activ...

Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks
Threatpost • Elizabeth Montalbano • 08 Apr 2021

Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.
Researchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a report by Kaspersky researchers published this week.
“...

New Cring ransomware hits unpatched Fortinet VPN devices
BleepingComputer • Sergiu Gatlan • 07 Apr 2021

A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies' networks.
 (also known as Crypt3r, Vjiszy1lo, Ghost, Phantom) was 
 by Amigo_A in January and 
 by the CSIRT team of Swiss telecommunications provider Swisscom.
The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploy the ransomware payloads ...

'Anomalous surge in DNS queries' knocked Microsoft's cloud off the web last week
The Register • Iain Thomson in San Francisco • 06 Apr 2021

Plus: Top universities hit by data-stealing extortionists

in Brief It was a tsunami of DNS queries that ultimately took out a host of Microsoft services, from Xbox Live to Teams, for some netizens about an hour on April Fools' Day, Redmond has said.
Or as the Windows giant put it, the outage was the result of "an anomalous surge in DNS queries from across the globe targeting a set of domains hosted on Azure." In a postmortem examination of the downtime, Microsoft said the flood of requests triggered a programming flaw in its infrastructure that h...

FBI: APTs Actively Exploiting Fortinet VPN Security Holes
Threatpost • Tara Seals • 02 Apr 2021

The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products.
According to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are ...

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers
BleepingComputer • Sergiu Gatlan • 02 Apr 2021

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn of advanced persistent threat (APT) actors targeting Fortinet FortiOS servers using multiple exploits.
In the Joint Cybersecurity Advisory (CSA) published today, the agencies warn admins and users that the state-sponsored hacking groups are actively exploiting Fortinet FortiOS vulnerabilities
,
, and
.
The attackers are enumerating servers unpatched...

Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
BleepingComputer • Ax Sharma • 25 Nov 2020

A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.
Over the weekend a hacker had posted a list of
 for CVE-2018-13379 to steal VPN credentials from these devices, as reported by BleepingComputer.
Present on the list of vulnerable targets are domains belonging to high street banks, telecoms, and government organizations from around the world.
The exploitation of critical FortiOS vulnerability CVE-2018-13379 lets an attacker access ...

Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs
BleepingComputer • Ax Sharma • 22 Nov 2020

A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices.
Present on the list of vulnerable targets are domains belonging to high street banks and government organizations from around the world.
The vulnerability being referred to here is CVE-2018-13379, a path traversal flaw impacting a large number of unpatched FortiNet FortiOS SSL VPN devices.
By exploiting this vulnerability, unauthenticated remote attackers can a...

Attackers chain Windows, VPN flaws to target US government agencies
welivesecurity • 13 Oct 2020

Threat actors have been chaining vulnerabilities in Windows and Virtual Private Network (VPN) services to target various government agencies, critical infrastructure and election organizations, according to a warning by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI). The technique, which involves exploiting several flaws over the course of a single attack to infiltrate an organization’s network, is part of the gangs’ ram...

Election Systems Under Attack via Microsoft Zerologon Exploits
Threatpost • Lindsey O'Donnell • 13 Oct 2020

U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft’s severe privilege-escalation flaw, dubbed “Zerologon,” to target elections support systems.
Days after Microsoft sounded the alarm that an Iranian nation-state actor was actively exploiting the flaw (CVE-2020-1472), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.

The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open
The Register • Shaun Nichols in San Francisco • 12 Oct 2020

'Unauthorized access to elections support systems' detected tho 'no evidence to date that integrity of elections data has been compromised' Big US election coming up, security is vital and, oh look... a federal agency just got completely pwned for real

If you're wondering which bugs in particular miscreants are exploiting to break into, or attempt to break into, US government networks, wonder no more. And then make sure you've patched them.
Uncle Sam's Dept of Homeland Security has this month identified at least six possible routes into the nation's computer systems, and the method used to gain total control over the machines once inside. Those six vulnerabilities are...
...plus CVE-2020-1472, aka ZeroLogon, in Microsoft Windows, w...

Iranian hackers are selling access to corporate networks
BleepingComputer • Sergiu Gatlan • 01 Sep 2020

An Iranian-backed hacker group has been observed while seeking to sell access to compromised corporate networks to other threat actors on underground forums and attempting to exploit F5 BIG-IP devices vulnerable to CVE-2020-5902 exploits.
The Iranian hackers have been active since at least 2017 and are being tracked as Pioneer Kitten by cyber-security firm Crowdstrike, as Fox Kitten [
,
] by threat intelligence firm ClearSky, and as
[
,
] by ICS security f...

Hackers Look to Steal COVID-19 Vaccine Research
Threatpost • Tara Seals • 16 Jul 2020

Threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.
That’s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE),  issued Thursday.
The 14-page advisory details the recent activity of Russi...

NSA releases guidance on securing IPsec Virtual Private Networks
BleepingComputer • Sergiu Gatlan • 02 Jul 2020

The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.
Besides providing organizations with recommendations on how to secure IPsec tunnels, NSA's VPN guidance also highlights the importance of using strong cryptography to protect sensitive info contained within traffic while traversing untrusted networks when connecting to remote servers.
Following these recommendations...

APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn
Threatpost • Elizabeth Montalbano • 08 Oct 2019

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.
The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–C...

The Register

in Brief It was a tsunami of DNS queries that ultimately took out a host of Microsoft services, from Xbox Live to Teams, for some netizens about an hour on April Fools' Day, Redmond has said.
Or as the Windows giant put it, the outage was the result of "an anomalous surge in DNS queries from across the globe targeting a set of domains hosted on Azure." In a postmortem examination of the downtime, Microsoft said the flood of requests triggered a programming flaw in its infrastructure that h...

Law enforcement action push ransomware gangs to surgical attacks
BleepingComputer • Bill Toulas • 01 Jan 1970

The numerous law enforcement operations leading to the arrests and takedown of ransomware operations in 2021 have forced threat actors to narrow their targeting scope and maximize the efficiency of their operations.
Most of the notorious Ransomware-as-a-Service (RaaS) gangs continue their operations even after the law enforcement authorities have 
 but have refined their tactics for maximum impact.
According to an analysis published by Coveware, which looks at ransom ...

Fortinet delays patching zero-day allowing remote server takeover
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Fortinet has delayed patching a zero-day command injection vulnerability found in the FortiWeb web application firewall (WAF) until the end of August.
Successful exploitation can let authenticated attackers execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.
While attackers must be authenticated to the management interface of the targeted FortiWeb device to abused this bug, they can easily chain it with other vulnerabilitie...

The Register

If you're wondering which bugs in particular miscreants are exploiting to break into, or attempt to break into, US government networks, wonder no more. And then make sure you've patched them.
Uncle Sam's Dept of Homeland Security has this month identified at least six possible routes into the nation's computer systems, and the method used to gain total control over the machines once inside. Those six vulnerabilities are...
...plus CVE-2020-1472, aka ZeroLogon, in Microsoft Windows, w...

Hackers used VPN flaws to access US govt elections support systems
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Government-backed hackers have compromised and gained access to US elections support systems by chaining together VPN vulnerabilities and the recent Windows CVE-2020-1472 security flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says that advanced persistent threat (APT) actors used this vulnerability chaining tactic to target federal and SLTT (state, local, tribal, and territorial) government networks, as well as election organizations, and critical infrastructure....

Iranian hackers target VMware Horizon servers with Log4j exploits
BleepingComputer • Bill Toulas • 01 Jan 1970

An Iranian-aligned hacking group tracked as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States.
Security analysts at SentinelLabs who have been tracking the activity chose that name due to the group's heavy reliance on tunneling tools, which help them hide their activities from detecting solutions.
Tunneling is the process of routing data traffic in such a way that its transmission becomes obfuscat...

Five Eyes nations reveal 2021's fifteen most-exploited flaws
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.
It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.
Of course...

Fortinet patches bug letting attackers takeover servers remotely
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Fortinet has released security updates to address a command injection vulnerability that can let attackers take complete control of servers running vulnerable FortiWeb web application firewall (WAF) installations.
The security flaw discovered by Rapid7 researcher William Vu impacts is yet to receive a CVE ID, and it impacts Fortinet FortiWeb versions 6.3.11 and earlier.
Successful exploitation allows authenticated attackers to execute arbitrary commands as the root user on the under...

Russia stole US defense data from IT systems, says CISA
The Register • Simon Sharwood, APAC Editor • 01 Jan 1970

Get our weekly newsletter Clearly no need for leet zero-day hax when you can spearphish and exploit months-old vulnerabilities

A two-year campaign by state-sponsored Russian entities to siphon information from US defense contractors worked, it is claimed.
Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday said Moscow's cyber-snoops have obtained "significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology."
The Agency added that the intruders made off with sensi...