Our threat intelligence this week focusses on the Fortinet CVE-2022-40684 vulnerability, allowing a remote attacker to log into vulnerable Fortinet products and perform operations on the administrative interface. On the 13th of October, a publicly available PoC exploit code, which detailed how adversaries could gain full system access, led to the first confirmed IP exploitation of CVE-2022-40684 that leveraged the authentication bypass and attempted to export a backup of the FortiOS configuration. Fortinet has also confirmed at least one instance where the vulnerability has been exploited. 

We assess that similar exploitation will commence following the release of the Zimbra PoC. Threat actors have already exploited the vulnerability targeting several entities in Asia and as the PoC has been added as a module to Metasploit, researchers expect a third wave to begin imminently, likely with ransomware as an end-goal. 

Organisations are urged to patch vulnerable services as soon as possible as we assess that threat actors will be quick to incorporate the PoC into their operations, increasing the frequency of attacks as already indicated by current reports.

Key Vulnerabilities

  1. CVE-2022-40684
    A critical authentication bypass vulnerability, CVE-2022-40684 affecting FortiOS (7.0.0 to 7.0.6 and 7.2.0 to 7.2.1), FortiProxy (7.0.0 to 7.0.6 and 7.2.0) and FortiSwitchManager (7.0.0 and 7.2.0). The vulnerability allows a remote attacker to log into vulnerable Fortinet products and perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. A Proof-of-Concept (PoC) exploit code has been released, which is likely to increase instances of exploitation in the wild.
  2. CVE-2022-41352
    A remote code execution vulnerability (CVSS: 9.8|OVSS: 55) affecting versions 8.8.15 and 9.0 of Zimbra Collaboration Suite, an enterprise collaboration software and email platform. The vulnerability is triggered by the method in which Zimbra’s antivirus engine (Amavis) scans inbound emails and enables an unauthenticated threat actor to create and overwrite files on the Zimbra server. While a patch has been released for the vulnerability, security researchers have confirmed continued exploitation in the wild which is likely connected to the public release of a PoC code on 7 October.
  3. CVE-2022-37968
    An elevation of privilege vulnerability (CVSS: 10|OVS: 40) in Microsoft’s Azure Arc, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. An unauthenticated threat actor can exploit this vulnerability remotely to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must take action to manually upgrade the systems.

Key Intelligence Reports

  1. Fortinet confirms active exploitation of CVE-2022-40684, critical authentication bypass vulnerability
    Fortinet has confirmed that threat actors are actively exploiting a critical authentication bypass vulnerability, CVE-2022-40684, affecting FortiOS (7.0.0 to 7.0.6 and 7.2.0 to 7.2.1), FortiProxy (7.0.0 to 7.0.6 and 7.2.0) and FortiSwitchManager (7.0.0 and 7.2.0) Read full report >>
  2. Lebanon-based espionage group POLONIUM deploys multiple custom backdoors to target Israeli entities
    The Lebanon-based cyber espionage group POLONIUM has deployed a suite of seven customised backdoors to steal sensitive data from Israeli entities across multiple industry verticals including engineering, technology, communications, marketing, and financial services. Read full report >>
  3. Chinese threat cluster WIP19 targets IT and telecommunications entities with signed malware
    A newly identified threat cluster tracked as WIP19 has targeted telecommunications and IT service providers in the Middle East and Asia. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)