Forti VPN credentials on sale

Hackers has published a list of credentials for nearly 50,000 Fortinet Inc. FortiGate vpn connected to the internet that can be exploited using a known vulnerability.

The 6.7-gigabyte uncompressed database is being offered on forums by hacking group named pumpedkicks

The vulnerability was uncovered known to be path traversal vulnerability in the FortiOS SSL VPN web portal [that] may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.”

In July Fortinet warned that APT 29, also known as Cozy Bear were using the vulnerability to target COVID-19 vaccine development in Canada, the U.S. and the U.K.

All Fortinet customers are advised, if they haven’t done so already to immediately upgrade all FortiGate systems to the latest firmware releases and to validate that all SSL-VPN local users are expected, with correct email addresses assigned and to perform a password reset on all users.

The exploitation of the specific CVE allowed an unauthenticated attacker to download system files through uniquely crafted HTTP resource requests. By using special elements such as ‘..’ and ‘/’ separators, attackers can get around the restricted location to access files or directories that are elsewhere on the system.

APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    Strongpity4
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic

Muhstik bots

IoT botnet operators keep expanding their arsenal by adding new scanners and exploits to harvest new IoT devices. One such popular botnet Muhstik, also known as Muhstik, has been observed targeting cloud infrastructures by leveraging several web application exploits.

What you need to know

  • The Muhstik gang has a multi-layered attack strategy that importantly involves a payload named pty that helps downloads other malicious components and then contacts IRC servers—the botnet’s C2 infrastructure—to receive commands.
  • Muhstik has been using the XMRmrig miner and scanning modules to target other Linux servers and home routers, along with Mirai source code to encrypt the configurations of its payload and scanning module.
  • Its primary method of propagation is via home routers such as GPON home router, DD-WRT router, and Tomato router.
  • Muhstik has actively exploited web application exploits in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).

Worth noting

  • The botnet has been found to be linked to a Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd.
  • Other notable characteristics in Muhstik malware and infrastructure include the use of a Google Analytics ID and references to anime character ‘Jay’ from a game at Jaygame.net.

Security tips

Experts recommend that users should be cautious when installing open-source firmware and pay attention to security updates and maintenance patches necessary to keep devices safeguarded. In addition, regular scans and instant patches for vulnerabilities are advisable.

Darkside .🌚… It’s too dark

DarkSide is run as a Ransomware-as-a-Service (RaaS) where developers are in charge of programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices. Access need to be gained before distributing the Ransomware

As part of this arrangement, the DarkSide ransomware developers receive a 10-25% cut, and an affiliate gets 75-90% of any ransom payments they generate.

Distributed storage system to leak data

DarkSide has stated that they are working on a distributed storage system to store and leak victims’ stolen data. Following double- extortion techniques is famous strategy.

To disrupt these extortion demands, law enforcement and cybersecurity firms actively try to take down these data leak sites.DarkSide states that they plan to create a distributed “sustainable storage system” in Iran to host the victim’s stolen data for six months.

“Some targets think that if a lot of data has been downloaded from them, then after their publication, hackers and other people will download it for a long time through the TOR. We think so too, so we will change it.” Sustainable server means data will get replicated between servers with an retention of 6 months

The DarkSide operation announced that they were looking for new Russian affiliates to join their program, who they claim to earn an average of $400k per victim.

Unlike other ransomware operations, such as Ryuk, Egregor, and others, DarkSide states that do not allow attacks on:

Medical sector
Educational division
Non-profit organizations.
Government sector.

It is too soon to tell if DarkSide will keep its promises about not targeting these organizations.