Read: The Need for Digital Transformation in Finance

The May 2024 Option One Cybersecurity Briefing

By Option One Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity Threat News

Exploit for Fortinet Critical RCE Bug Allows SIEM Root Access

A critical vulnerability has been found in Fortinet’s FortiSIEM product, DarkReading reported. The vulnerability has been identified as CVE-2024-23108, and a related bug, CVE-2024-23109.

Both vulnerabilities have a severity score of 10 and involve unauthenticated command injections. An exploit for these flaws, called “NodeZero” by Horizon3AI researchers, allows remote code execution through crafted API requests. The researchers stated that the exploit allows users to “blindly execute commands as root on vulnerable FortiSIEM appliances.”

Affected versions of FortiSIEM include:

  • 7.1.0 to 7.1.1
  • 7.0.0 to 7.0.2
  • 6.7.0 to 6.7.8
  • 6.6.0 to 6.6.3
  • 6.5.0 to 6.5.2
  • 6.4.0 to 6.4.2

Users should immediately apply available patches to prevent potential security breaches.

CatDDOS Threat Groups Are Ramping UP DDoS Attacks

Researchers have detected a surge in activity involving a variant of the Mirai distributed denial-of-service (DDoS) botnet called CatDDoS, DarkReading reported. The attacks have targeted various sectors including cloud vendors, communication providers, construction firms, research entities, and educational institutions in several countries such as the US, France, Germany, Brazil, and China.

CatDDoS first appeared last August and was prevalent in September 2023 but became less visible by December. Recently, researchers from QiAnXin XLab have observed multiple gangs using CatDDoS variants, including RebirthLTD, Komaru, and Cecilio Network. These groups have exploited at least 80 different vulnerabilities in their latest campaign.

“Our system has observed that CatDDoS-related gangs remain active,” QiAnXin stated in a blog post. They have noticed that these groups compromise more than 300 targets daily.

The vulnerabilities exploited affect various products and technologies such as Apache ActiveMQ Servers, Cisco Linksys, Jenkins servers, and NetGear routers. Some of these vulnerabilities are recent, while others are older, including vulnerabilities from 2010 and 2013. QiAnXin mentioned the use of a possible zero-day vulnerability based on execution parameters.

The CatDDoS variants originate from source code that was publicly released last December after a failed attempt to sell it. Though different groups manage these variants, the core elements remain largely identical. QiAnXin unified these variants under the CatDDoS umbrella despite the groups possibly denying this connection.

DDoS botnets continue to pose a significant threat to organizations globally. Many companies have strengthened their network infrastructure to handle DDoS attacks, yet threat actors have also advanced their tactics.

Reports from Nexusguard indicate a shift in attack focus to individual computers and servers, and while DDoS attack volumes fell by 55% in 2023, the size of individual attacks increased by 233%.

XSS Vulnerabilities Found in “Slider Revolution” WordPress Plugin

A recent audit of the Slider Revolution plugin uncovered two major security vulnerabilities in WordPress websites, Infosecurity Magazine reported.

The popular plugin, used by over 9 million users, had an unauthenticated stored XSS flaw. This could enable unauthorized users to steal information and escalate privileges with just one HTTP request.

A broken access control issue in the plugin’s REST API endpoints also allowed unauthorized updates to slider data. Patchstack discovered these vulnerabilities and posted an article advising users to fix input sanitization and output escaping.

“We also recommend applying a proper permission or authorization check to the registered rest route endpoints and not providing sensitive action or process to an unauthenticated user,” stated Patchstack.

Cybersecurity Tips

Reporting Ransomware Attacks to Law Enforcement is Critical to Combat Them

Reporting a ransomware attack is essential for both immediate and long-term benefits, Sally Adam of Sophos News says. Victims in the U.S. can contact CISA, while those in the UK can reach out to NCSC, and Australian organizations can use ACSC.

Reporting an attack helps victims receive timely support to minimize its impact and provides essential insights to improve policies and initiatives against cybercrime. Moreover, sharing attack details can assist in taking down criminal gangs, as seen in the Lockbit operation in February 2024.

The “State of Ransomware 2024” report by Sophos shows that 97% of global ransomware victims reported the attack to law enforcement or official bodies. Reporting rates are high across all sectors, particularly in public sectors like state and local governments, healthcare, and education. Law enforcement or official bodies almost always provide some form of assistance to those who report an attack, with only 1% of the surveyed victims not receiving support.

However, support varies by country, with most victims receiving advice, help in investigating the attack, or assistance in recovering encrypted data. In India, 71% of victims received help in dealing with the attack, with similar support levels in South Africa. Recovery assistance for encrypted data was highest in India at 71%, and lowest in some European countries like Switzerland and Germany.

Most respondents (59%) found it easy to engage with law enforcement, especially in Brazil and Singapore, where the process was easiest. Conversely, those in Japan and Austria reported the highest difficulties. Of those who did not report their attacks, concerns included potential negative impacts and a belief that there would be no benefit.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.