Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fortinet. Show all posts
Fortinet
Cloud Security Cloud Server Cyber Phishing Cyber Security Cyber Security Ransomware Attacks Cyberattacks FortiGuard Fortinet

Multi-Stage Phishing Campaign Deploys Amnesia RAT and Ransomware Using Cloud Services

 

One recently uncovered cyberattack is targeting individuals across Russia through a carefully staged deception campaign. Rather than exploiting software vulnerabilities, the operation relies on manipulating user behavior, according to analysis by Cara Lin of Fortinet FortiGuard Labs. The attack delivers two major threats: ransomware that encrypts files for extortion and a remote access trojan known as Amnesia RAT. Legitimate system tools and trusted services are repurposed as weapons, allowing the intrusion to unfold quietly while bypassing traditional defenses. By abusing real cloud platforms, the attackers make detection significantly more difficult, as nothing initially appears out of place. 

The attack begins with documents designed to resemble routine workplace material. On the surface, these files appear harmless, but they conceal code that runs without drawing attention. Visual elements within the documents are deliberately used to keep victims focused, giving the malware time to execute unseen. Fortinet researchers noted that these visuals are not cosmetic but strategic, helping attackers establish deeper access before suspicion arises. 

A defining feature of the campaign is its coordinated use of multiple public cloud services. Instead of relying on a single platform, different components are distributed across GitHub and Dropbox. Scripts are hosted on GitHub, while executable payloads such as ransomware and remote access tools are stored on Dropbox. This fragmented infrastructure improves resilience, as disabling one service does not interrupt the entire attack chain and complicates takedown efforts. 

Phishing emails deliver compressed archives that contain decoy documents alongside malicious Windows shortcut files labeled in Russian. These shortcuts use double file extensions to impersonate ordinary text files. When opened, they trigger a PowerShell command that retrieves additional code from a public GitHub repository, functioning as an initial installer. The process runs silently, modifies system settings to conceal later actions, and opens a legitimate-looking document to maintain the illusion of normal activity. 

After execution, the attackers receive confirmation via the Telegram Bot API. A deliberate delay follows before launching an obfuscated Visual Basic Script, which assembles later-stage payloads directly in memory. This approach minimizes forensic traces and allows attackers to update functionality without altering the broader attack flow. 

The malware then aggressively disables security protections. Microsoft Defender exclusions are configured, protection modules are shut down, and the defendnot utility is used to deceive Windows into disabling antivirus defenses entirely. Registry modifications block administrative tools, repeated prompts seek elevated privileges, and continuous surveillance is established through automated screenshots exfiltrated via Telegram. 

Once defenses are neutralized, Amnesia RAT is downloaded from Dropbox. The malware enables extensive data theft from browsers, cryptocurrency wallets, messaging apps, and system metadata, while providing full remote control of infected devices. In parallel, ransomware derived from the Hakuna Matata family encrypts files, manipulates clipboard data to redirect cryptocurrency transactions, and ultimately locks the system using WinLocker. 

Fortinet emphasized that the campaign reflects a broader shift in phishing operations, where attackers increasingly weaponize legitimate tools and psychological manipulation instead of exploiting software flaws. Microsoft advises enabling Tamper Protection and monitoring Defender changes to reduce exposure, as similar attacks are becoming more widespread across Russian organizations.
Read more »
Fortinet threat report
Critical Vulnerability CVE CVE vulnerability CVEs Cyber Attacks Firewall firewall vulnerability FortiGate Fortinet Fortinet threat report

Fortinet Firewalls Targeted as Attackers Bypass Patch for Critical FortiGate Flaw

 

Critical vulnerabilities in FortiGate systems continue to be exploited, even after fixes were deployed, users now confirm. Though updates arrived aiming to correct the problem labeled CVE-2025-59718, they appear incomplete. Authentication safeguards can still be sidestepped by threat actors taking advantage of the gap. This suggests earlier remedies failed to close every loophole tied to the flaw. Confidence in the patch process is weakening as real-world attacks persist. 

Several admins report breaches on FortiGate units using FortiOS 7.4.9, along with systems updated to 7.4.10. While Fortinet claimed a fix arrived in December via version 7.4.9 - tied to CVE-2025-59718 - one user states internal confirmation showed the flaw persisted past that patch. Updates such as 7.4.11, 7.6.6, and 8.0.0 are said to be underway, aiming complete resolution. 

One case involved an administrator spotting a suspicious single sign-on attempt on a FortiGate system with FortiOS version 7.4.9. A security alert appeared after detection of a freshly added local admin profile, behavior seen before during prior attacks exploiting this flaw. Activity records indicated the new account emerged right after an SSO entry tied to the email cloud-init@mail.io. That access came from the IP 104.28.244.114, marking another point in the timeline. 

A few others using Fortinet noticed very similar incidents. Their firewall - running version 7.4.9 of FortiOS - logged an identical email and source IP during access attempts, followed by the addition of a privileged profile labeled “helpdesk.” Confirmation came afterward from Fortinet’s development group: the security flaw remained active even after update 7.4.10. 

Unexpectedly, the behavior aligns with earlier observations from Arctic Wolf, a cybersecurity company. In late 2025, they identified exploitation of vulnerability CVE-2025-59718 through manipulated SAML data. Instead of standard procedures, hackers leveraged flaws in FortiGate's FortiCloud login mechanism. Through this weakness, unauthorized users gained access to privileged administrator credentials. 

Nowhere in recent updates does Fortinet address the newest claims of system breaches, even after repeated outreach attempts. Without a complete fix available just yet, experts suggest pausing certain functions as a stopgap solution. Turning off the FortiCloud SSO capability stands out - especially when active - since attacks largely flow through that pathway. Earlier warnings from Fortinet pointed out that FortiCloud SSO stays inactive unless tied to a FortiCare registration - this setup naturally reduces exposure. 

Despite that, findings shared by Shadowserver in mid-December revealed over 25,000 such devices already running the feature publicly. Though efforts have protected most of them, around 11,000 still appear accessible across the web. Their security status remains uncertain. 

Faced with unpatched FortiOS versions, admins might consider revising login configurations while Fortinet works on fixes. Some could turn off unused single sign-on options as a precaution. Watching system records carefully may help spot odd behavior tied to admin access during this period.
Read more »
Microsoft
Critical Flaws Critical security flaw CVE CVEs CVSS Cyber Security Fortinet Ivanti Ivanti security flaws Microsoft

December Patch Tuesday Brings Critical Microsoft, Notepad++, Fortinet, and Ivanti Security Fixes

 


While December's Patch Tuesday gave us a lighter release than normal, it arrived with several urgent vulnerabilities that need attention immediately. In all, Microsoft released 57 CVE patches to finish out 2025, including one flaw already under active exploitation and two others that were publicly disclosed. Notably, critical security updates also came from Notepad++, Ivanti, and Fortinet this cycle, making it particularly important for system administrators and enterprise security teams alike. 

The most critical of Microsoft's disclosures this month is CVE-2025-62221, a Windows Cloud Files Mini Filter Driver bug rated 7.8 on the CVSS scale. It allows for privilege escalation: an attacker who has code execution rights can leverage the bug to escalate to full system-level access. Researchers say this kind of bug is exploited on a regular basis in real-world intrusions, and "patching ASAP" is critical. Microsoft hasn't disclosed yet which threat actors are actively exploiting this flaw; however, experts explain that bugs like these "tend to pop up in almost every big compromise and are often used as stepping stones to further breach". 

Another two disclosures from Microsoft were CVE-2025-54100 in PowerShell and CVE-2025-64671, impacting GitHub Copilot for JetBrains. Although these are not confirmed to be exploited, they were publicly disclosed ahead of patching. Graded at 8.4, the Copilot vulnerability would have allowed for remote code execution via malicious cross-prompt injection, provided a user is tricked into opening untrusted files or connecting to compromised servers. Security researchers expect more vulnerabilities of this type to emerge as AI-integrated development tools expand in usage. 

But one of the more ominous developments outside Microsoft belongs to Notepad++. The popular open-source editor pushed out version 8.8.9 to patch a weakness in the way updates were checked for authenticity. Attackers were managing to intercept network traffic from the WinGUp update client, then redirecting users to rogue servers, where malicious files were downloaded instead of legitimate updates. There are reports that threat groups in China were actively testing and exploiting this vulnerability. Indeed, according to the maintainer, "Due to the improper update integrity validation, an adversary was able to manipulate the download"; therefore, users should upgrade as soon as possible. 

Fortinet also patched two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, in FortiOS and several related products. The bugs enable hackers to bypass FortiCloud SSO authentication using crafted SAML messages, which only works if SSO has been enabled. Administrators are advised to disable the feature until they can upgrade to patched builds to avoid unauthorized access. Rounding out the disclosures, Ivanti released a fix for CVE-2025-10573, a severe cross-site scripting vulnerability in its Endpoint Manager. The bug allows an attacker to register fake endpoints and inject malicious JavaScript into the administrator dashboard. Viewed, this could serve an attacker full control over the session without credentials. There has been no observed exploitation so far, but researchers warn that it is likely attackers will reverse engineer the fix soon, making for a deployment environment of haste.
Read more »
Perception Point
Artificial Intelligence Cyber Security Digital Security Fortinet Perception Point

Fortinet Acquires Perception Point to Enhance AI-Driven Cybersecurity

 


Fortinet, a global leader in cybersecurity with a market valuation of approximately $75 billion, has acquired Israeli company Perception Point to bolster its email and collaboration security capabilities. While the financial terms of the deal remain undisclosed, this acquisition is set to expand Fortinet's AI-driven cybersecurity solutions.

Expanding Protections for Modern Workspaces

Perception Point's advanced technology secures vital business tools such as email platforms like Microsoft Outlook and Slack, as well as cloud storage services. It also extends protection to web browsers and social media platforms, recognizing their increasing vulnerability to cyberattacks.

With businesses shifting to hybrid and cloud-first strategies, the need for robust protection across these platforms has grown significantly. Fortinet has integrated Perception Point's technology into its Security Fabric platform, enhancing protection against sophisticated cyber threats while simplifying security management for organizations.

About Perception Point

Founded in 2015 by Michael Aminov and Shlomi Levin, alumni of Israel’s Intelligence Corps technology unit, Perception Point has become a recognized leader in cybersecurity innovation. The company is currently led by Yoram Salinger, a veteran tech executive and former CEO of RedBand. Over the years, Perception Point has secured $74 million in funding from major investors, including Nokia Growth Partners, Pitango, and SOMV.

The company's expertise extends to browser-based security, which was highlighted by its acquisition of Hysolate. This strategic move demonstrates Perception Point's commitment to innovation and growth in the cybersecurity landscape.

Fortinet's Continued Investment in Israeli Cybersecurity

Fortinet’s acquisition of Perception Point follows its 2019 purchase of Israeli company EnSilo, which specializes in threat detection. These investments underscore Fortinet’s recognition of Israel as a global hub for cutting-edge cybersecurity technologies and innovation.

Addressing the Rise in Cyberattacks

As cyber threats become increasingly sophisticated, companies like Fortinet are proactively strengthening digital security measures. Perception Point’s AI-powered solutions will enable Fortinet to address emerging risks targeting email systems and collaboration tools, ensuring that modern businesses can operate securely in today’s digital-first environment.

Conclusion

Fortinet’s acquisition of Perception Point represents a significant step in its mission to provide comprehensive cybersecurity solutions. By integrating advanced AI technologies, Fortinet is poised to deliver enhanced protection for modern workspaces, meeting the growing demand for secure, seamless operations across industries.

Read more »
Vulnerabilities and Exploits
Critical Flaw Fortinet IT Flaw Security Patch threat report Vulnerabilities and Exploits

New Flaws in Fortinet, SonicWall, and Grafana Pose Significant Threats

 

Cyble Research and Intelligence Labs (CRIL) has discovered new IT vulnerabilities that affect Fortinet, SonicWall, Grafana Labs, and CyberPanel, among others. 

The report for the week of October 23-29 identifies seven security flaws that require immediate attention from security teams, especially given the large number of exposed devices. The most recent discoveries show that vulnerabilities in Fortinet, SonicWall, and Grafana Labs affect over 1 million web-facing assets.

Notably, two critical vulnerabilities in CyberPanel have already been exploited in huge ransomware assaults. Organisations are recommended to quickly investigate their environments for these vulnerabilities and apply the relevant fixes and mitigations. 

Cyble's researchers have detailed the following top vulnerabilities, emphasising their potential impact on IT security: 

CVE-2024-40766: SonicWall SonicOS 

CVE-2024-40766 indicates an improper access control flaw within the administrative interface of SonicWall's SonicOS, with a severity rating of 9.8. This vulnerability has piqued the interest of managed security organisations such as Arctic Wolf, who report that ransomware gangs such as Fog and Akira are exploiting it in SSL VPN setups to breach networks. 

CVE-2024-9264: Grafana labs 

The 9.4-rated vulnerability, CVE-2024-9264, affects Grafana Labs' open-source analytics and monitoring platform's SQL Expressions capability. This flaw allows for command injection and local file inclusion since user input in 'duckdb' queries is not properly sanitised. 

CVE-2024-46483: Xlight FTP server

This critical integer overflow bug impacts the Xlight FTP Server, allowing hackers to exploit packet parsing logic and cause heap overflows. With the accessibility of public Proof of Concepts (PoCs), this vulnerability could be used in a variety of attack tactics. 

Prevention tips 

  • Ensure that all software and hardware systems receive the most recent patches from official vendors. 
  • Use an organised approach to inventory management, patch assessment, testing, deployment, and verification. 
  • To reduce the attack surface, isolate key assets with firewalls, VLANs, and access controls. 
  • Establish and maintain an incident response strategy, which should be evaluated on a regular basis to respond to emerging threats. 
  • Employ complete monitoring technologies to discover and analyse suspicious actions in real time. Keep up with vendor, CERT, and other sources' alerts to promptly fix issues.
Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
Vulnerabilities and Exploits
Fortinet Ransomware Security Vendors Threat Landscape Vulnerabilities and Exploits

Cybercriminals Are Becoming More Proficient at Exploiting Vulnerabilities

 

According to Fortinet, cybercriminals have their sights on the increasing number of new vulnerabilities triggered by the expansion of online services and applications, as well as the rapid rise in the number and variety of connected devices. It's only inevitable that assaults targeting those vulnerabilities will increase.

The most recent semiannual report provides a snapshot of the active threat landscape and highlights trends from July to December 2023, including an analysis of the rate at which cyber criminals are capitalising on newly discovered exploits from across the cybersecurity industry, as well as the rise of targeted ransomware and wiper activity against the industrial and OT sectors.

Attacks began an average of 4.76 days after new exploits were publicly revealed: FortiGuard Labs, like the 1H 2023 Global Threat Landscape Report, wanted to understand how long it takes for a vulnerability to go from initial release to exploitation, whether flaws with a high Exploit Prediction Scoring System (EPSS) score are exploited faster, and whether EPSS data could be used to predict the average time-to-exploitation.

Vendors’ obligation to disclose flaws 

Based on this analysis, attackers increased the rate at which they exploited newly revealed vulnerabilities in the second half of 2023 (43% faster than in the first half of 2023). This highlights the importance of vendors committing to internally discovering vulnerabilities and implementing patches before exploitation starts. It also emphasises the importance of vendors disclosing vulnerabilities to customers proactively and transparently in order to provide them with the information they need to successfully secure their assets before cyber attackers exploit N-day flaws. 

CISOs and security teams need to be concerned about more than simply newly found vulnerabilities. According to Fortinet telemetry, 41% of organisations discovered exploits from signatures that were less than a month old, while 98% detected N-Day vulnerabilities that had existed for at least five years.

FortiGuard Labs has also observed threat actors exploiting vulnerabilities that are more than 15 years old, emphasising the importance of upholding security hygiene and prompting organisations to act quickly through a consistent patching and updating programme, employing best practices and guidance from organisations such as the Network Resilience Coalition to improve network security overall. 

Ransomware targeting critical sectors 

44% of all ransomware and wiper samples targeted the industrial sector. Ransomware detections decreased by 70% across all Fortinet sensors when compared to the first half of 2023. The observed drop in ransomware over the last year can be due to attackers moving away from the old "spray and pray" technique and towards a more focused approach, primarily targeting the energy, healthcare, manufacturing, transportation and logistics, and automotive industries. 

Botnets shown amazing durability, with command and control (C2) connections ceasing on average 85 days after initial detection. While bot traffic remained consistent with the first half of 2023, FortiGuard Labs continued to see the more prominent botnets of recent years, such as Gh0st, Mirai, and ZeroAccess, but three new botnets surfaced in the second half of 2023: AndroxGh0st, Prometei, and DarkGate. 

38 of the 143 advanced persistent threat (APT) groups listed by MITRE were observed to be active during the second half of 2023. FortiRecon, Fortinet's digital risk prevention solution, reports that 38 of the 143 Groups tracked by MITRE were active in the second half of 2023. The most active groups included the Lazarus Group, Kimusky, APT28, APT29, Andariel, and OilRig. 

“The 2H 2023 Global Threat Landscape Report from FortiGuard Labs continues to shine a light on how quickly threat actors are taking advantage of newly disclosed vulnerabilities. In this climate, both vendors and customers have a role to play. Vendors must introduce robust security scrutiny at all stages of the product development life cycle and dedicate themselves to responsible radical transparency in their vulnerability disclosures. With over 26,447 vulnerabilities across more than 2,000 vendors in 2023 as cited by NIST, it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation,” stated Derek Manky, Chief Security Strategist and Global VP Threat Intelligence, FortiGuard Labs.
Read more »
ThirdEye infostealer
FortiGuard FortiGuard Lab Fortinet Infostealer malware Open System information ThirdEye ThirdEye infostealer

ThirdEye: New Infostealer is Targeting Open System Information


FortiGuard Labs recently noted some suspicious-looking files during their cursory review. An investigation of the issue revealed the files were in fact malicious. This infostealer has been labeled as the “ThirdEye”.

While not particularly sophisticated, this malware is made to take different pieces of data from infected devices that can be used as a foundation for more attacks.

The ThirdEye 

The investigation on the infostealer began when the FortiGuard Lab researchers noticed an archive file named “Табель учета рабочего времени.zip” (English trans. “time sheet”). The zip file included two files immediately identified as “up to no good.”

Both files contain a double extension (.exe followed by a different document-related extension). One of the files is "CMK равила oормлени олнин листов.pdf.exe," which is an executable rather than a document and is labeled "QMS Rules for issuing sick leave" in English. f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494 is the file's SHA2 hash value.

The ThirdEye info stealer has comparatively simpler functionality. It contains a variety of system information based on compromised machines, like BIOS and hardware data. Additionally, it lists ongoing processes, folders and files, and network data. All of this information is gathered by the malware once it has been run, and it then sends it to its command-and-control (C2) server, which is located at (hxxp://shlalala[.]ru/general/ch3ckState). As compared to other infostealers, this one does nothing else.

An interesting string sequence unique to the ThirdEye infostealer family is the “3rd_eye”, which it decrypts and combines with another hash value to identify itself to the C2.

The second file in the archive is the “Табель учета рабочего времени.xls.exe”, which has the same name as its parent file. This file is a variant of the ThirdEye infostealer, created to achieve the same functions as f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

While there is no substantial evidence that could confirm that the ThirdEye infostealer was used in attacks, the malware however is created to steal valuable information from compromised machines, in order to have a better understanding of potential targets, and narrowing them down further. Moreover, there are speculations that the info stealer’s victims will be subject to future cyberattacks.

Since ThirdEye is not yet under the ‘severe’ radar, the FortiGuard investigation found that the threat actors involved have put efforts into strengthening the infostealer, such as recent samples collecting more system information compared to older variants, and it is anticipated to improve further.

Read more »
Subscribe to: Comments (Atom)