This week on MSP Incident Insights, we’re catching up on major threats and breaches that caught the eyes of our security leaders and MSP partners in a threat briefing round-up. 

Threat Actors Actively Exploit Critical Fortinet Vulnerabilties

What Happened?

On April 9th, 2024, CISA released an advisory notifying readers that Fortinet, a popular network security and firewall vendor, has released several updates to address Critical and High-rated vulnerabilities in FortiOS, FortiProxy, FortiClientLinux, and FortiClient Mac. 

Fortinet also disclosed a critical SQL injection vulnerability in their endpoint management product, FortiClient EMS, on February 22^nd, 2024, which NIST and CISA are tracking as CVE-2023-48788, with a Critical CVSS score of 9.8. A month later, security researchers at Horizon3.ai shared a proof-of-concept exploit, which CISA confirmed is being exploited in the wild on March 25^th, 2024. 

Key Takeaways

CVE-2023-45590 is a vulnerability in FortiClientLinux with a CVSS score of 9.4, which allows attackers to launch remote code execution attacks, and impacts businesses using FortiClientLinux 7.0 to 7.2.0. 

CVE-2023-41677 (also tracked as CWE-522) is a High vulnerability with a CVSS score of 7.5, which allows attackers to launch phishing attacks that allow them to exfiltrate an administrator cookie in a credential theft attack. 

According to the POC for CVE-2023-48788 published by Horizon3.ai researchers, threat actors were able to use debug logging and a Python script to successfully reverse engineer a way to communicate with the service “FmcDaemon.exe,” which is responsible for communicating with Fortinet endpoint clients. After identifying the message format as text-based, researchers found several SQL statements and successfully injected a payload to remotely execute code. 

From there, threat actors could potentially use this vulnerability to deploy a remote access tool (RAT) and exfiltrate credentials from Windows’ Local Security Authority Subsystem Service (LSASS), which includes operating system and domain admin credentials, such as an NTLM hash. 

Why This Matters to MSPs & Next Steps

Many MSPs use Fortinet to secure their clients’ endpoints, and this vulnerability poses a major risk to these end users’ privileged credentials and operating system passwords. 

CyberQP’s security experts recommend that MSPs take the following action steps to secure their end users:

• Fortinet has released patches for MSPs using FortiClientEMS, and recommends patching their software immediately. MSPs using FortiClientEMS version 7.0 should update to version 7.0.11 or above, and MSPs using FortiClientEMS version 7.2 should update to version 7.2.3 or above.
• Refer to Horizon3’s coverage (linked above) for Indicators of Compromise that you can use to detect malicious or suspicious activity. 
• For CVE-2023-45590 and CVE-2023-41677, please refer to Fortinet’s advisories for detailed update instructions based on your software version. 

LockBit Ransomware Re-Emerges Following International Takedown Operation

What Happened?

On Tuesday, February 19^th, 2024, the Department of Justice, FBI investigators, Europol, the United Kingdom’s National Crime Agency, among other international law enforcement organizations, executed “Operation Cronos,” a coordinated takedown of the infrastructure and threat actors behind the infamous LockBit Ransomware-as-a-Service (RaaS) gang. 

While research from Trend Micro indicates that LockBit threat actors are still developing a platform-agnostic version of their ransomware, threat researchers believe the group, and its  face an uphill battle in continuing their operations. 

Key Takeaways

LockBit’s ransomware-as-a-service operation, which included 193 known affiliate accounts, extorted over $120 million USD from victims, and was one of the most active ransomware families of 2023.  

According to noted security expert and reporter Brian Krebs, international authorities arrested two threat actors associated with LockBit, shut down almost 36 servers, and froze over 200 affiliated cryptocurrency accounts. After seizing LockBit’s leak site, federal investigators used the site to announce the disruption in LockBit activity, share decryption keys, announce indictments, and even host a countdown timer to reveal the identity of “LockBitSupp,” the username of a major cyber criminal that spoke for the ransomware group.

Following the takedown, researchers uncovered the LockBit group’s attempts to develop a platform-agnostic version of their ransomware (tracked as LockBit-NG-Dev), which could “form the basis” of LockBit Ransomware version 4.0, according to Trend Micro researchers. These investigations also revealed that despite the group’s claims, LockBit was storing victim data regardless of whether or not a victim paid their ransoms.

While reports indicate that LockBit is attempting to build new infrastructure and launch a return, as proven by new encryptor samples uploaded to VirusTotal, researchers believe that internal dissent between LockBit and disgruntled affiliates, previous encryptor leaks, and the ransomware’s deteriorating reputation on underground cybercrime forums show it faces several challenges to re-emerge as a major threat actor in today’s landscape.  

Why This Matters to MSPs & Next Steps

The findings from this international takedown should serve as a reminder to MSPs that even if they manage to pay a ransom, threat actors will still retain the data they stole from organizations. Moreover, with recent litigation against CISOs for ransomware attacks, and potential penalties for making ransomware payments, MSPs must proactively prepare for  

CyberQP’s security experts recommend that security-focused MSPs take the following action steps:

• Consult with your Managed XDR, MDR, or Incident Response partner and ensure they have the latest Indicators of Compromise and detection rules for LockBit and “LockBit-NG-Dev.”
• International law enforcement agencies have obtained several decryption keys for LockBit’s victims.

Canada’s Foreign Affairs Department Discloses Data Breach

What Happened?

On Tuesday, January 30^th, 2024, Global Affairs Canada, the Canadian government’s foreign affairs department, disclosed a data breach causing a major network remote access outage. Users and employees of the government’s Secure Integrated Global Network (SIGNET)-connected endpoints are impacted.  Authorities are investigating the full scope of the breach, but an internal email noted, “early results suggest that many… users may have been affected.”  

Key Takeaways

According to initial coverage, the initial attack vector of this breach was a VPN managed by Shared Service Canada (SSC) VPN. The SSC is responsible for managing the Canadian government’s networks, data centers, and other IT services. 

While investigators continue to look into users impacted by the incident, internal Global Affairs Canada emails warn that staff and users who accessed information remotely using a SIGNET laptop may have been exposed to the unnamed threat actors, who gained unauthorized access to two internal hard drives and users’ personal information, such as emails, calendars, and contacts. 

According to these reports, SIGNET users were vulnerable between December 20, 2023 and January 24, 2024.

Why This Matters to MSPs & Next Steps

Major incidents like these emphasize the need to proactively prepare for major network-based breaches, especially in instances like these where internal drives, proprietary IP, or personally identifying information (PII) are impacted. 

Moreover, this breach should remind MSPs looking to support public sector organizations or act as a third-party service provider to defense contractors that they will be expected to support and secure their clients in these spaces, and that they’ll be expected to align with their government’s compliance frameworks and best practices to do so. 

CyberQP’s security experts recommend that MSPs with a focus on cybersecurity to lock down the following attack surfaces:

• Engage a SOC or Managed XDR solution that will monitor your network, and alert on suspicious or malicious activity. 
• Implement a firewall with a VPN or a standalone VPN and ensure it remains up-to-date in order to secure remote access.

Thanks for reading this week’s threat briefing collection. Next time, join us for a breakdown of the Health Sector Cybersecurity Coordination Center’s advisory on social engineering attacks.