SANS NewsBites

If You Haven’t Patched FortiGate Firewalls By Now, You’ve Been Compromised; Patch Netwrix Auditor ASAP; Snappy Is a Useful Rogue WiFi Detector; Check Processes and Playbooks to Make Sure You Can Rotate API Keys

July 7, 2023  |  Volume XXV - Issue #53

Top of the News


2023-07-03

FortiGate Firewalls Still Unpatched

Researchers at Bishop Fox say that more than 330,000 FortiGate firewalls remain unpatched against a known critical heap-based buffer overflow vulnerability; Fortinet released updates to address the flaw last month.

Editor's Note

The headline should probably read that these firewalls area likely already compromised. Patching them may not suffice.

Johannes Ullrich
Johannes Ullrich

That figure means only about 31% of internet exposed FortiGate devices have been patched in the three-and-a-half weeks or so since Fortinet released the patch. “Time at known risk” is something that needs to be decreasing. If limited downtime windows are the reason (vs. just not noticing the risk), time to escalate to management that one incident will overcome years of availability gained from shortened changed windows.

John Pescatore
John Pescatore

The flaws affects devices with VPN enabled, so there is a likely chance some of these are not running the VPN. The trick here is that the vulnerable code is present even if the VPN is not used, necessitating an update. The narrowness of the flawed services allows you to test the update before going to production, but you still need to keep moving forward. If you haven't recently, you may want to run a Shodan search for devices in your address space you might have missed.

Lee Neely
Lee Neely

The first thing I do when I see the headlines is make sure I had the latest version of the firmware on a FortiGate I have. Now that this is out of the way, I must say a few things. First, it’s hard to figure out when to patch these things. It’s not automatic, and it’s ad-hoc. It also can break; I had one of my settings breaks after an upgrade. I understand why the administrators are not patching because they may not be aware and maybe concerned about a big outage. This is, however, concerning that the number mentioned is 336,000. It’s also concerning that it's an attack on VPN. If this is true, I can only imagine that hundreds of thousands of companies could be completely owned by now. I hope that is not the case and this is just based on old Shodan data. If this is true and the numbers hold up. Expect a lot of breaches in the upcoming months (years?).

Moses Frost
Moses Frost

Well this is depressing news: fully two-thirds of FortiGate firewalls not yet been patched a month after the fix was released. If cyber criminals haven’t already, they will certainly read Bishop Fox’s blog and take advantage of those organizations that fail to patch the vulnerability lurking in their infrastructure.

Curtis Dukes
Curtis Dukes

2023-07-06

CISA: Patch Netwrix Auditor Software to Protect Networks from TrueBot Malware

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report warning that TrueBot malware is being used in cyberattacks against networks in the US and Canada. The malware is being deployed by exploiting a known remote code execution vulnerability in Netwrix Auditor software. Users are urged to update vulnerable versions of Netwrix Auditor.


2023-07-02

Snappy Tool Detects Phony WiFi Access Points

A free tool dubbed Snappy detects rogue WiFi access points. Snappy can help users determine if a public WiFi access point is the same one they have used before, or if it is suspicious. The tool uses “SHA256 hashes of wireless access points to determine whether something has changed since your last visit.”


2023-07-06

JumpCloud Invalidates Admin API Keys

Colorado-based JumpCloud has reset all API keys in the wake of an “ongoing incident.” JumpCloud, a cloud-based directory-as-a-service platform, has published a support page that includes instructions for generating new API keys.

The Rest of the Week's News


2023-06-30

NJ State Supreme Court: Wiretap Order Required for Continuous Surveillance of FB Account

New Jersey’s State Supreme Court has ruled that law enforcement must obtain a wiretap order to access Facebook account data in near real-time. The ruling overturned a lower court decision that allowed a warrant as sufficient for compelling Meta to provide access to two users’ accounts every 15 minutes over a 30-day period. The state Supreme Court ruling said that the 15-minute delay rendered the information “stored communications” rather than a live intercept. State supreme court disagreed, noting that ”the nearly contemporaneous acquisition of electronic communications here is the functional equivalent of wiretap surveillance and is therefore entitled to greater constitutional protection.”

Editor's Note

Privacy laws in the US are still a patchwork that vary by state. This ruling aligns NJ with the rest of the country when it comes to privacy protections and legal oversight of data access requests by law enforcement. Perhaps Congress will help sort this patchwork out by enacting new privacy legislation.

Curtis Dukes
Curtis Dukes

Having some guard rails on the legal process is appropriate, and using the wiretap analogy to monitor data is about as close of a fit without waiting on new regulations. Even with a wiretap order, the question remains as to whether organizations like Facebook, Google and Microsoft will honor them as being good enough.

Moses Frost
Moses Frost

This makes a lot of sense in the digital age. Think of real-time access to a real-time phone call. This could be via voice over IP, Webex, zoom, direct messages, SMS, MMS, iMessage, and many other real-time communications media. Think of legacy posts as a voicemail. If the order relates to real-time communications, then I think it should stand to reason that wiretap is appropriate, if not badly named.

Moses Frost
Moses Frost

2023-07-06

Port of Nagoya Cargo Operations Resume After Ransomware Attack

Japan’s Port of Nagoya became the victim of a ransomware attack on the morning of Tuesday, July 4. The attack affected the Nagoya Port Unified Terminal System (NUTS), the system that manages the port’s cargo terminals. The attack rendered the port unable to load and unload cargo for two days. The Port of Nagoya began to resume on Thursday, July 6.


2023-06-30

CISA Adds Eight Vulnerabilities to KEV Catalog

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) database. Two of the issues affecting D-Link products: a command execution vulnerability in D-Link DIR-859 Router and a command injection vulnerability in D-Link DWL-2600AP Access Point. Six of the vulnerabilities affect Samsung mobile devices: an out-of-bounds read vulnerability, an improper input validation vulnerability, two race condition vulnerabilities, an improper boundary check vulnerability, and an unspecified vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until July 20 to mitigate the issues.


2023-07-06

Update SolarView Systems

Researchers from VulnCheck have described three critical vulnerabilities in Internet-connected SolarView devices that are used to monitor solar facilities’ power generation, storage, and distribution. One of the vulnerabilities was identified by researchers from Palo Alto Networks Unit 42 last month. All three vulnerabilities are fixed in SolarView version 8.10.


2023-06-30

FBI is Now Tracking Swatting

The US Federal Bureau of Investigation (FBI) has created a database to track swatting attacks. Prior to the database, swatting was not tracked as a discrete crime. While there is no federal anti-swatting law, some US states have passed anti-swatting legislation. Experts are glad the FBI is taking swatting seriously but are not confident that the database will lead to a reduction in swatting incidents.


2023-07-06

No Patch Available for Cisco Vulnerability

Cisco has published a security advisory warning of “a vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode [that] could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic.” There are no workarounds, and Cisco has not released fixes, and recommends that users “disable [affected devices] and to contact their support organization to evaluate alternative options."

Internet Storm Center Tech Corner

DShield pfSense Client Update

https://isc.sans.edu/diary/DShield+pfSense+Client+Update/29994

Exposed Industrial Control Systems

https://isc.sans.edu/diary/Controlling+network+access+to+ICS+systems/30000

Analysis Method for Custom Encoding

https://isc.sans.edu/diary/Analysis+Method+for+Custom+Encoding/29946

IDS Comparisons with DShield Honeypot Data

https://isc.sans.edu/diary/IDS+Comparisons+with+DShield+Honeypot+Data/30002

Truebot Exploits Netwrix Auditor

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a

StackRot Linux Privilege Escalation Vulnerability

https://www.openwall.com/lists/oss-security/2023/07/05/1

TeamsPhisher Exploit

https://github.com/Octoberfest7/TeamsPhisher

VMWare Update

https://www.vmware.com/security/advisories/VMSA-2023-0015.html

SNAPPY: Detecting Rogue WiFi Access Points

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/snappy-detecting-rogue-and-fake-80211-wireless-access-points-through-fingerprinting-beacon-management-frames/

RUSTBUCKET Mac Malware

https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket