Sign up for this weekly newsletter
Subscribe15K Fortinet devices compromsied through a 2022 vulnerability
A new threat actor naming itself “Belsen Group” published online data stolen from 15K Fortinet firewall devices worldwide, from both government and private sectors. The information includes IPs, passwords and configurations. It was apparently gathered after exploiting a Fortinet zero-day discovered in 2022 (CVE-2022–40684). The flaw, impacting FortiOS, FortiProxy and FortiSwitchManager, allows attackers to run commands on the admin interface via crafted HTTP/ HTTPS requests.
Mitigate it
Disable HTTP/HTTPS administrative interface or Limit IP addresses that can reach the administrative interface
IntelBroker against HPE (again)
The well-known threat actor IntelBroker is selling data exfiltrated from HPE. The information includes source code of various products, Github repositories, certificates and Docker builds. Access to different services used by HPE (WePay, APIs, GitHub and GitLab) are also on sale. In February 2024, IntelBroker already took responsibility for compromising HPE’s internal networks and it is unclear if the two cases are connected. In 2023, HPE has famously been targeted by the Russian state actor APT29, that accessed its cloud-based email environment and stole Sharepoint files.
No-click vulnerability impacts Outlook
A recently patched critical vulnerability in Microsoft OLE (CVE-2025-21298), a feature allowing users embed content across applications is raising concerns. The RCE vulnerability can be triggered through a rich-text formatted document, usually opened in Office applications. The main attack vector is via email, affects various Outlook versions and is considered low-complexity. Moreover, the flaw might be leveraged when a malicious email is just read or watched in preview pane – and it does not require any click. For users unable to patch, Microsoft recommended to open emails in plain text.
Many servers exposed to Sync vulnerabilities
Over 660K servers are exposed to 6 new vulnerabilities in RSync (CVE-2024-12084-8,CVE-2024-12747) - a popular open-source file synchronization and data transferring tool. By combining different flaws, attackers might be able to take control of connected servers and execute malicious code by overwriting different files.
Mitigate it
Restrict or block access to TCP port 873; Disable SHA* support by compiling with CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST (for CVE-2024-12084); Compile with -ftrivial-auto-var-init=zero to zero the stack contents (for CVE-2024-12085)
A Chinese APT accesses through flaws in Apache HTTP servers
A newly-discovered cyberespionage Chinese APT, nicknamed PlushDaemon, has launched a supply-chain attack against a South Korean VPN provider. The group is gaining initial access through the exploitation of vulnerabilities in Apache HTTP Servers and uses a large toolkit of 30 components to download trojanized software among its victims. It apparently operates since late 2023 and has so far compromised IT and semiconductor companies in South Korea, together with organizations in China and Japan.
A Playstation game targeted through IoT vulnerabilities
The Airashi botnet (formerly named Kitty) has targeted distributions of a popular Playstation game, “BlackMyth: Wukong”, by leveraging zero-daysin cnPilot routers together with old IoT vulnerabilities (CVE-2013-3307, CVE-2016-20016). Airashi is a sophisticated multi-versions DDoS botnet attacking various industries worldwide. It recently launched a campaign against Japanese companies.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
