Week 41 | 10th – 14th October 2022

Key Issue: PoC published for Fortinet vulnerability following mass exploitation attempts
Cybercriminals: Cybercriminals launch cryptocurrency theft operations
Nation-State: Nation-state units deploy novel backdoors in espionage campaigns
Hacktivists: Pro-Russian hacktivists target US airport websites in DDoS campaign

KEY ISSUE:

This week, Fortinet has confirmed that threat actors are actively exploiting a critical authentication
bypass vulnerability, CVE-2022-40684 affecting FortiOS (7.0.0 to 7.0.6 and 7.2.0 to 7.2.1), FortiProxy (7.0.0 to
7.0.6 and 7.2.0) and FortiSwitchManager (7.0.0 and 7.2.0). The vulnerability allows a remote attacker to log into
vulnerable Fortinet products and perform operations on the administrative interface via specially crafted HTTP
or HTTPS requests. On 10 October 2022, Fortinet confirmed in an advisory that it is aware of at least one instance
where the vulnerability has been exploited. On 13 October, Proof-of-Concept (PoC) exploit code was made
available for the critical authentication bypass vulnerability. The PoC exploit is designed to abuse the
authentication bypass flaw to set an SSH key for the user specified when launching the Python script from the
command line. This enables full system access for attackers, allowing them to change network configurations,
add new users, and initiate packet captures. Following the PoC release, researchers confirmed the first IP
exploitation of CVE-2022-40684 that leveraged the authentication bypass and attempted to export a backup of
the FortiOS configuration. Organisations are urged to patch vulnerable services as soon as possible as we
assess that threat actors will be quick to incorporate the PoC into their operations, increasing the frequency of
attacks as already indicated by current reports.