Security News

CVE-2022-40684 is an authentication bypass vulnerability on vulnerable devices' administrative interface that can be triggered by sending a specially crafted HTTP(S) requests.Successful exploitation may allow attackers with access to the management interface to perform administrator operations and to, essentially, take control of the device.

FortiOS version 7.2.0 through 7.2.1. FortiOS version 7.0.0 through 7.0.6.

Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild. The security flaw is an auth bypass on the administrative interface that enables remote threat actors to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager on-premise management instances.

Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices. The issue impacts the following versions, and has been addressed in FortiOS versions 7.0.7 and 7.2.2, and FortiProxy version 7.0.7 released this week -.

Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability."An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests," Fortinet explains in a customer support bulletin issued today.

Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a single, less monitored port, Windows TCP port 135. While the original PsExec is available in the Sysinternals utility suite, there is also an implementation in the Impacket collection of Python classes for working with network protocols, which has support for SMB and other protocols like IP, UDP, TCP that enable connections for HTTP, LDAP, and Microsoft SQL Server.

A study of BlackCat ransomware using different file sizes revealed that intermittent encryption brings significant speed benefits to threat actors. Historically, LockFile ransomware has been the first malware family to make use of intermittent encryption, in mid-2021, yet several different ransomware families are now using it.

Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life. "A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network," Cisco explained in a security advisory issued on Wednesday.

A new phishing-as-a-service toolkit dubbed EvilProxy is being advertised on the criminal underground as a means for threat actors to bypass two-factor authentication protections employed against online services. "EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication - proxifying victim's session," Resecurity researchers said in a Monday write-up.

Resecurity has recently identified a new Phishing-as-a-Service called EvilProxy advertised in the Dark Web. While the incident with Twilio is solely related to the supply chain, cybersecurity risks obviously lead to attacks against downstream targets, the productized underground service like EvilProxy enables threat actors to attack users with enabled MFA on the largest scale without the need to hack upstream services.