Hello CSP Community,

September saw us running to prep for a hurricane with offsite backups and DR prep. No rest for the wicked, October had us quite busy on the Cyber Security front.

Urgent Appliance Patch Encouraged by Fortinet

On the 6th of October, Fortinet encouraged all customers with FortiOS, FortiProxy, and FortiSwitchManager to install a patch to prevent a critical authentication bypass exploit. Customers received private alerts to disable remote management UI on affected devices to stop potential attacks if they don’t have the option to immediately patch. If successful, the exploit gives a successful attacker administrative control of the network devices under flaw CVE-2022-40684.

Once consumers started receiving confidential messages for their Fortinet devices in early October, threat actors began looking to exploit the detected vulnerability by creating malicious admin accounts. Attackers have been actively scanning for the exploit and attempting to use it in the wild. It is possible to verify if a device is already compromised before applying the patch by checking the logs. All our customer Fortinet deployments were secured same day and had the public-facing management interfaces disabled as an additional precaution.

Operation In(ter)caption Lures macOS Users

A Mac user in the Crypto space had a bit of a scare. Cryptocurrency is a hot commodity, with many looking for employment opportunities within this field. Operation In(ter)caption exploits this desire by using lures for open positions at Coinbase to infect macOS users with malware. The most common way to find potential targets has been to contact victims through targeted messaging on job and social media platforms like LinkedIn. The malware is typically hidden inside a PDF users download, thinking they’re receiving a job offer in the crypto industry. This malicious file loads a DLL onto the device, allowing the threat actor to take control of it after completing the infection. It drops three files onto the system, including the decoy. Apple revoked the certificate in August, but different evolutions are still in the wild.

This issue has been an active problem since at least 2020. It’s linked to threat actor Lazarus out of North Korea, targeting contractors in the defence and aerospace industries. The initial campaigns targeted Windows systems, but macOS malware is being discovered using the same distribution tactics. Recent lures shifted from Coinbase to Crypto.com job vacancies, but it continues to be a long-running theme that started with the AppleJeus issues in 2018. Sentinel One was able to stop the attack in its tracks regardless of platform or version due to its A.I. behavioral approach to managing malware.

What’s ahead?

During November we’ll be hard at work wrapping up projects before our feature and change freeze during the Festive period. We’re also working hard to expand our team to ensure that our service levels remain the best in the industry.

Regards,

Rudolf