Overview

Fortinet, a global leader in cybersecurity solutions, recently released a critical advisory addressing a significant vulnerability (CVE-2024-55591) in its FortiOS and FortiProxy products. This flaw, which has a CVSSv3 score of 9.6, is categorized as a critical authentication bypass vulnerability and is currently being exploited in the wild.

Attackers leveraging this vulnerability can potentially gain super-admin privileges by exploiting weaknesses in the Node.js WebSocket module, making this a high-stakes issue for organizations relying on Fortinet’s products.

This blog provides a detailed overview of the vulnerability, affected versions, Indicators of Compromise (IOCs), mitigation strategies, and steps for administrators to protect their systems effectively.

The Vulnerability Explained

The CVE-2024-55591 vulnerability stems from an “Authentication Bypass Using an Alternate Path or Channel” issue (CWE-288). An attacker can craft malicious requests to the Node.js WebSocket module, bypass authentication, and gain unauthorized super-admin access. Once exploited, the attacker can perform a wide range of malicious activities, including:

• Creating administrative or local user accounts.
• Modifying firewall policies, addresses, or system settings.
• Establishing Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels to access internal networks.

Affected Products and Versions

The vulnerability impacts the following versions of FortiOS and FortiProxy products:

FortiOS

• Versions 7.0.0 through 7.0.16 are affected.
• Versions 7.6, 7.4, and 6.4 are not affected.

FortiProxy

• Versions 7.0.0 through 7.0.19.
• Versions 7.2.0 through 7.2.12.
• Versions 7.6 and 7.4 are not affected.

Solution:

• Upgrade FortiOS to version 7.0.17 or later.
• Upgrade FortiProxy to versions 7.0.20 or 7.2.13 or later.

How Attackers Exploit the Vulnerability

Attackers exploit this vulnerability by sending malicious WebSocket requests to bypass authentication controls. They can target administrative accounts by guessing or brute-forcing usernames. Once access is gained, they perform the following malicious actions:

• Create random user accounts such as “Gujhmk” or “M4ix9f”.
• Add these accounts to administrative or VPN groups.
• Use SSL VPN connections to infiltrate the internal network.

Indicators of Compromise (IOCs)

Fortinet has shared some key IOCs that organizations should monitor to identify potential attacks.

Log Entries

Look for the following types of suspicious log entries in your system:

1. Successful Admin Logins:

type=”event” subtype=”system” level=”information” logdesc=”Admin login successful”

user=”admin” ui=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” 

msg=”Administrator admin logged in successfully from jsconsole”

• Unauthorized Configuration Changes:

type=”event” subtype=”system” level=”information” logdesc=”Object attribute configured”

user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add”

msg=”Add system.admin vOcep”

Suspicious IP Addresses

Attackers have been observed using the following IP addresses to launch attacks:

• 45.55.158.47 (most commonly used)
• 87.249.138.47
• 155.133.4.175
• 37.19.196.65
• 149.22.94.37

It’s important to note that these IP addresses are not fixed sources of attack traffic; they are often spoofed and may not represent the actual origin.

Recommended Actions

1. Update Immediately

If your organization is using affected versions of FortiOS or FortiProxy, the most effective solution is to upgrade to the latest secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site.

2. Mitigations for Immediate Protection

If an upgrade cannot be performed immediately, consider implementing the following mitigations:

• Disable HTTP/HTTPS Administrative Interfaces: This reduces the exposure of management interfaces to the internet.
• Restrict Access with Local-In Policies:
  Limit access to the administrative interface by allowing only trusted Ips
• Use Non-Standard Admin Usernames: To make brute-force attacks more difficult, avoid predictable or default usernames for administrative accounts.

Exploitation in the Wild

Reports indicate active exploitation of this vulnerability. Threat actors have been observed creating random administrative or local user accounts, such as:

• Gujhmk
• Ed8x4k
• Alg7c4

These accounts are often added to SSL VPN user groups to establish tunnels into internal networks, making it critical to monitor for unauthorized account creation.

Best Practices for Enhanced Security

1. Enable Logging and Monitoring:
   Continuously monitor system logs for any unauthorized administrative activity, suspicious configuration changes, or unexpected VPN connections.
2. Conduct Regular Vulnerability Scans:
   Perform routine scans to identify and patch other vulnerabilities within your network infrastructure.
3. Adopt a Zero Trust Approach:
   Limit user privileges to the minimum required and enforce strict access controls, especially for administrative tasks.
4. Educate Your Team:
   Ensure that your IT and security teams are aware of this vulnerability and trained to respond to potential threats.
5. Implement Multi-Factor Authentication (MFA):
   Although this vulnerability bypasses traditional authentication, MFA adds an additional layer of security that can mitigate other attack vectors.

Conclusion

The CVE-2024-55591 vulnerability emphasizes the critical need for organizations to stay ahead of emerging threats. With attackers actively exploiting this flaw to gain super-admin access, the risks to your infrastructure and data cannot be overstated. Organizations using FortiOS and FortiProxy must act immediately. Patching systems and implementing mitigations isn’t optional; it’s imperative.

It’s not just about reacting to vulnerabilities—it’s about adopting a proactive and layered approach to cybersecurity. Leveraging tools like multi-factor authentication, real-time log monitoring, and Zero-Trust architectures can significantly reduce the risk of exploitation.

The broader lesson here is clear: vulnerabilities are inevitable, but breaches don’t have to be. By staying informed, investing in advanced threat detection systems, and fostering a security-first mindset within your organization, you can not only address immediate threats but also build resilience against future ones.

As cyber threats grow more advanced, are you prepared to meet them head-on? Strengthening your defenses today will determine your security tomorrow.

Let this be a reminder to continuously innovate and adapt in the face of an ever-changing threat landscape.

Your next step could define the safety of your organization.

Source:

• https://www.csa.gov.sg/alerts-advisories/alerts/2025/al-2025-004
• https://www.fortiguard.com/psirt/FG-IR-24-535
• https://nvd.nist.gov/vuln/detail/CVE-2024-55591

The post Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access Risk appeared first on Cyble.

Blog – Cyble – ​Read More

Quantum computers remain a highly exotic technology, used by a very small number of companies for very specific computational tasks. But if you search for “quantum computer news”, you might get the impression that all the major IT players have already armed themselves with quantum technology, and that any day now hackers will start using it to crack encrypted communications and manipulate digital signatures. The reality is both less tense and more complex — but such nuances don’t make the headlines. So, who’s been making all the noise about quantum hacking?…

Mathematicians

Although the respected American mathematician Peter Shor meant to create neither hype nor panic, it was he who, back in 1994, proposed the idea of an entire family of algorithms for solving computationally complex mathematical problems on a quantum computer. Chief among these was the problem of factoring into prime numbers. For sufficiently large numbers, a classical computer would need… centuries to find a solution — which serves as the foundation of cryptographic algorithms like RSA. However, a powerful quantum computer using Shor’s algorithm could solve this problem much faster. Although such a computer was still a dream in 1994, Shor’s idea captured the imagination of hackers, physicists, and of course, journalists. Shor recalls that when he first presented his idea at a conference in 1994, he hadn’t yet completely solved the factorization problem — the final version of his research was only published in 1995. Nevertheless, just five days after his presentation, people were confidently proclaiming that the factorization problem had been solved.

Startups

For many years, the quantum threat was considered just a distant possibility. The number of quantum bits (qubits) required to break cryptography was estimated to be in the thousands or millions, while experimental quantum computers were still in single digits. The situation changed in 2007, when the Canadian company D-Wave Systems demonstrated the “first commercial quantum computer”, boasting 28 qubits, with a plans to scale up to 1024 qubits by the end of 2008. The company predicted that by 2009 it would be possible to rent quantum computers for cloud computations — using them for risk analysis in insurance, modeling in chemistry and materials science, as well as for “government and military needs”. By 2009, D-Wave expected to achieve quantum supremacy — when a quantum computer could solve a problem faster than a classical one.

The quantum community had to spend years dealing with the company’s claims. The principle of quantum annealing, used in D-Wave systems, wasn’t even considered a quantum effect, and its existence was only proven in 2013 — albeit with serious reservations. Meanwhile, the magnitude (and even the existence) of quantum supremacy continued to be a subject of debate even longer. In any case, D-Wave systems can run neither Shor, nor Grover’s algorithms, making them unsuitable for cryptanalysis tasks. The company continues to build computers (or, rather, “quantum annealers”) with ever-increasing numbers of qubits, but their practical application remains very limited.

Cyber agencies

When the U.S. National Security Agency (NSA) issues warnings and advice on a problem, it’s a good reason to take that problem seriously. That’s why the NSA’s 2015 recommendation urging companies and governments to begin transitioning to quantum-resistant encryption was taken as a signal that the arrival of practical quantum computers might just be round the corner. This warning came as a surprise: at the time, the largest number that had been factored using Shor’s algorithm on a quantum computer was… 21. This fueled speculation that the NSA knew something about quantum computers that the rest of the world didn’t.

Now, nearly a decade later, we can be fairly confident that the NSA was sincere in its subsequent explanations, released six months later: they were simply warning of a potential danger ahead of time. After all, equipment purchased for government agencies tends to remain in service for decades, so systems should be upgraded well in advance to avoid future vulnerabilities. Around the same time, NIST announced a competition to develop a standardized set of quantum-resistant algorithms. In 2024, this new standard was adopted.

Internet giants

Many major IT companies, such as Google and IBM, have shown interest in quantum computing — and invested in it. At the end of the 20^th century, IBM labs created the first working quantum computer with two qubits. But it was Google that, in 2019, announced the long-awaited achievement of quantum supremacy. Their experimental 53-qubit computer, Sycamore, could reportedly solve a problem in not much over three minutes that would take a classical supercomputer 10,000 years. However, IBM disputed this claim, arguing that this problem was purely synthetic, designed for quantum computers specifically, and having no real-world application. For a supercomputer to solve the same problem, it would simply have to simulate a quantum one, which would be quite useless — not to mention slow. IBM further stated that with sufficient disk space, a classical supercomputer could solve the same problem with greater accuracy and in a relatively short time: no more than 2.5 days.

Even the original creator of the term “quantum supremacy”, Professor John Preskill, criticized Google’s excessive use of the phrase, noting its popularity with journalists and marketers. As a result, its intended technical use has been obscured.

Governments

Security experts, including the NSA, have repeatedly emphasized that the quantum threat is a reality — even in the absence of a practical quantum computer. One possible scenario is well-resourced malefactors storing an encrypted copy of valuable data today in order to decrypt it in the future when quantum computers become viable. Such an attack, known as harvest now, decrypt later, is often mentioned in the context of the “quantum race”, and in 2022, the U.S. government created quite a stir by claiming to already be facing SNDL attacks. Experts from the post-quantum security firm QuSecure also referred to SNDL attacks as a “common practice” in an article ominously titled Quantum apocalypse.

Meanwhile, the White House coined the term CRQC (Cryptanalytically Relevant Quantum Computer) and ordered U.S. agencies to switch to post-quantum encryption algorithms no later than 2035.

Enthusiasts

Quantum computers are complex, unique physical devices that often require extreme cooling. As a result, small firms and individual researchers have a hard time keeping up in the quantum race; however, that doesn’t stop some from trying. In 2023, statements from a researcher named Ed Gerck, founder of a company called Planalto Research, created a small buzz. According to Gerck, his company managed to perform quantum computations on a commercial Linux desktop with capital costs of less than a thousand dollars and without using cryogenics. The author claimed to have broken a 2048-bit RSA key despite these limitations. Interestingly, Gerck allegedly developed his own algorithm to do this, rather than using Shor’s. Cryptographers and developers of quantum computers have repeatedly demanded proof of Gerck’s claims but received only excuses in response. Gerck’s paper has in fact been published; however, experts note serious methodological flaws and speculative elements.

And, of course, the press

A study by researchers at Shanghai University directly linking quantum computing to encryption cracking was published in China in September 2024. However, it only caused a splash worldwide after a November article in the South China Morning Post. This article claimed that the Chinese scientists had successfully broken “military-grade encryption”, and this headline was carelessly replicated by other media outlets.

In fact, the authors of the study did target encryption, but solved a much more modest problem — they cracked 50-bit ciphers related to AES (Present, Gift-64, and Rectangle). Interestingly, they used one of the latest models from the very same D-Wave, using classical algorithms to compensate for its limitations compared to a full-fledged quantum computer. This study is scientifically novel, but its practicality in breaking real-world encryption is highly questionable. In addition to the deficit of qubits, the incredibly long classical pre-calculations required to crack real 128 or 256-bit keys remains an obstacle.

This wasn’t the first time researchers have claimed success in breaking encryption, but an earlier, similar announcement in 2022 received little attention.

Internet giants (yes, again)

A new round of speculation began with Google’s recent announcement of its Willow chip. The developers have claimed that they’ve managed to solve one of the key problems in scaling quantum computing — error correction. This problem arises because it’s extremely challenging to read the state of a qubit without making errors or disturbing its entanglement with other qubits. Therefore, calculations are often run multiple times, and many “noisy” physical qubits are combined into a single “perfect” logical one. Despite these measures, as the number of qubits increases, errors grow exponentially, making the system increasingly fragile. In contrast, the new chip demonstrates the opposite behavior — as the number of qubits increases, errors are reduced.

Willow has 105 physical qubits. Of course, this is far from enough to break modern encryption. According to the Google researchers themselves, their computer would need millions of qubits to become a CRQC.

But such trifles didn’t stop other researchers from declaring the imminent death of modern cryptography. For example, researchers at the University of Kent have estimated that advances in quantum computing could require the Bitcoin network to shut down for 300 days in order to update to quantum-resistant algorithms.

Welcome to reality

Leaving the mathematical and technical aspects aside, it’s worth emphasizing that, as of right now, cracking modern encryption using quantum computers is still impossible, and this is unlikely to change in the near future. However, sensitive data that will remain valuable for years to come should be encrypted with quantum-resistant (post-quantum) algorithms today to avoid potential future risks. Several major IT regulators have already issued recommendations on transitioning to post-quantum cryptography, which should be studied and gradually implemented.

Kaspersky official blog – ​Read More

Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) has identified an ongoing cyberattack – targeting organizations in Germany.
• The attack is initiated through a deceptive LNK file embedded within an archive. When executed by an unsuspecting user, this LNK file triggers cmd.exe to copy and run wksprt.exe, a legitimate executable.
• This executable sideloads a malicious DLL that employs DLL proxying, ensuring the host application continues to operate seamlessly while executing malicious shellcode in the background.
• The shellcode ultimately decrypts and executes the final payload: Sliver, a well-known open-source Red Team/adversary emulation framework.
• Once deployed, Sliver functions as an implant, enabling threat actors to establish communication with the compromised system and conduct further malicious operations, thereby enhancing their control over the infected network.

Overview

Cyble Research & Intelligence Labs (CRIL) recently identified an ongoing campaign involving an archive file containing a deceptive LNK file. While the initial infection vector remains unclear, this attack is likely initiated via spear-phishing email.

The archive file “Homeoffice-Vereinbarung-2025.7z,” once extracted, contains a shortcut (.LNK) file along with several other components, including legitimate executables (DLL and EXE files), a malicious DLL file, an encrypted DAT file, and a decoy PDF. Interestingly, the creation times of most files in the archive are about a year old, with only the lure document being recently created. This suggests that the Threat Actor (TA) has not updated their core components, opting instead to introduce a new lure document to maintain the campaign’s relevance.

Upon execution, the LNK file triggers the opening of a decoy document, masquerading as a Home Office Agreement. This document serves as a lure to deceive the user. Concurrently, the LNK file also executes a legitimate executable, which subsequently performs DLL sideloading. The legitimate executable loads the malicious DLL, which is designed to retrieve and decrypt the shellcode from the DAT file stored in the same extracted archive. This entire process occurs entirely in memory, enabling the attack to evade detection by security products.

The shellcode is designed to decrypt and execute an embedded payload, a Sliver implant—an open-source red teaming and command and control framework employed by the TA for further malicious actions. Upon execution, the implant establishes connections to specific remote servers/endpoints, enabling the TA to conduct additional malicious operations on the victim’s system.

The figure below provides an overview of the infection process.

Technical Details

The attack begins once the victim extracts an archive file, likely delivered via an email attachment, containing several files:

• IPHLPAPI.dll – malicious DLL file
• IPHLPLAPI.dll – renamed legitimate IPHLPAPI.DLL
• ccache.dat – Contains Encrypted Shellcode
• wksprt.lnk  – Shortcut file to load wksprt file
• 00_Homeoffice-Vereinbarung-2025.pdf – Lure document
• Homeoffice-Vereinbarung-2025.pdf.lnk – Main shortcut file

However, only Homeoffice-Vereinbarung-2025.pdf.lnk, disguised as a PDF, is visible, while the other files remain hidden. When the user runs this LNK file, it triggers cmd.exe to execute a series of commands, copying files to specific directories and performing additional tasks. The image below shows the command embedded in the LNK file.

Following the execution of the LNK file, a directory named “InteI” is created within the user’s local app data folder (%localappdata%InteI). A legitimate Windows file, wksprt.exe, from C:WindowsSystem32 is then copied into this newly created InteI directory. Subsequently, the hidden files IPHLPAPI.dll, IPHLPLAPI.dll, and ccache.dat are copied into the “InteI” directory, with their hidden attributes preserved.

To establish persistence on the victim’s machine, wksprt.lnk, one of the files from the extracted folder, is copied to the Startup folder (%appdata%MicrosoftWindowsStart MenuProgramsStartup). This LNK file is designed to execute wksprt.exe, which has been copied to the “InteI” directory, ensuring that the executable runs automatically upon system startup.

Before the final step, the decoy file “00_Homeoffice-Vereinbarung-2025.pdf” is executed to maintain the appearance of a legitimate document being opened.

The lure document is a Home Office Agreement (Homeoffice-Vereinbarung) written in German, serving as a supplementary agreement to an existing employment contract between an organization and an employee, outlining the terms for remote work. Based on the content of this lure document, we believe this campaign is designed to target individuals or organizations in Germany. Furthermore, the initial .7z file was observed to have been uploaded to VirusTotal from a German location, supporting this assessment. Finally, wksprt.exe is launched from the “InteI” directory to carry out further actions.

The malicious DLL file has a very low detection rate, as shown below.

DLL Sideloading and DLL Proxying:

The legitimate executable wksprt.exe sideloads a malicious DLL (IPHLPAPI.dll) from the current directory. The malicious IPHLPAPI.dll then loads a slightly renamed legitimate DLL (IPHLPLAPI.dll), designed to appear authentic. Both DLLs export the same functions, as shown below.

The malicious DLL acts as a proxy, intercepting function calls from the executable and forwarding them to the legitimate DLL, which contains the actual implementation of the function, as shown below.

The forwarding of function calls ensures that the application maintains its normal behavior while allowing the malicious DLL to execute its own code. In addition, the malicious DLL spawns a new thread to read the contents of the file ccache.dat, as shown below.

After the “ccache.dat” file’s content is read, the malicious thread decrypts the malicious data. It employs the following cryptographic APIs for key generation and decryption:

• CryptAcquireContextW
• CryptCreateHash
• CryptHashData
• CryptDeriveKey
• CryptDecrypt

The thread now copies the decrypted content to the newly allocated memory and executes it. The figure below shows the decrypted content of “ccache.dat” and the control transfer to the decrypted content.

The decrypted content is a shellcode that runs another decryption loop to retrieve the actual payload embedded within it, as shown below.

The shellcode is designed to execute the embedded Sliver implant—an open-source red teaming framework used for malicious purposes by the TAs. Once executed, the implant connects to the following endpoints to carry out additional activities on the victim’s system.

• hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.html
• hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.php

Attribution

While we cannot definitively attribute this campaign to any specific group at this point, the initial infection vector, stager DLL behavior, shellcode injection, and Sliver framework exhibit patterns typically associated with APT29 in past campaigns. Additionally, this group has frequently employed the DLL sideloading technique in its operations. However, the most recent sample analyzed introduces DLL proxying, a technique not previously observed in APT29’s campaigns.

Conclusion

This campaign targets organizations in Germany by impersonating an employee agreement for remote working. Using this lure, the threat actors deploy a deceptive LNK file and malicious components to gain an initial foothold on the victim’s system, leading to its compromise and further exploitation.

By employing advanced evasion techniques such as DLL sideloading, DLL proxying, shellcode injection, and the Sliver framework, the attackers effectively bypass traditional security measures. This multi-stage cyberattack highlights the increasing sophistication and adaptability of threat actors, underscoring the growing complexity of APT operations and the urgent need for enhanced detection and defense strategies.

Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.  

Our Recommendations

• The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
• Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
• Use application whitelisting to prevent unauthorized execution of LNK files and other suspicious components.
• Deploy Endpoint Detection and Response (EDR) solutions to identify and block malicious behaviors, such as DLL sideloading and shellcode injection.
• Monitor for anomalous network activities, such as unexpected outbound connections, to detect Sliver framework-related activities.

MITRE ATT&CK® Techniques

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing (T1566)	The archive file may be delivered through phishing or spam emails
Execution  (TA0002)	Command and Scripting   Interpreter (T1059)	TAs abuse command and script interpreters to execute commands
Persistence  (TA0003)	Registry Run Keys / Startup   Folder (T1547.001	Creates persistence by   adding a lnk to a startup folder
Privilege   Escalation  (TA0004)	Hijack Execution Flow:   DLL Side-Loading (T1574.002)	Execute malicious Dll using Dll Sideloading
Defense Evasion (TA0005)	Obfuscated Files or   Information (T1027.002)	Binary includes encrypted data
Command and Control (TA0011)	Application Layer Protocol: Web Protocols (T1071.001)	Implant communicates with its C&C server

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
83a70162ec391fde57a9943b5270c217d63d050aae94ae3efb75de45df5298be	SHA-256	Archive File
f778825b254682ab5746d7b547df848406bb6357a74e2966b39a5fa5eae006c2	SHA-256	LNK file
9b613f6942c378a447c7b75874a8fff0ef7d7fd37785fdb81b45d4e4e2d9e63d	SHA-256	Malicious DLL
86f8a979bd887955f0491a0ed5e00de2f3fe53e6eb5856fb823115ce43b7c0ca	SHA-256	Encrypted .dat file

References

https://lab52.io/blog/2162-2/
https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf
https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence

The post Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

“When I was a boy and I would see scary things in the news, my mother would say to me, ‘Look for the helpers. You will always find people who are helping.’” 

 ― Fred Rogers 

There’s no world where following Mr. Roger’s advice is wrong. With the wildfires raging in Greater Los Angeles now more than ever I am very aware of the need to look for the helpers. I get it, I see the news and it’s overwhelming and terrifying. So Gentle Reader I’m asking that instead of just finding the helpers – be the helper.  
 
I’d like everyone to take a moment and think about what you can do to be a helper – not just with the catastrophic fires and the incredible destruction but in your own world. In your home life and in your work life. Nothing is more intrinsic to information security than the sharing of knowledge and information. It’s how we all got the roles that we are in now. The older I get the more joy I find in sharing anything and everything that I know. I’m proud to be a mentor in Cisco’s Women in Cybersecurity and outside of work I’ve started volunteering to teach English as a second language – and cannot tell you how rewarding both are. There are so many incredible non-profits that you can give your time and money. Do both. There are so many infosec groups that are in need of your time, your invaluable experience, and mentorship. Be the helper. Find a local group, find an internal team within your organization, and if you can’t find one – create one.  
 
Be the helper.  

Let’s use this terrible event as a driver to push us all to do more to be the helpers. After all, what would Mr. Rogers do?  

The one big thing 

Cisco Talos discovered forty-four vulnerabilities, and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.   

 The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability 

Why do I care? 

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials. With the ongoing state-sponsored attacks on infrastructure this is critical to a secure environment.  

So now what? 

 
Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the exploitation of these vulnerabilities.  

Top security headlines of the week 

Hackers are exploiting a new Fortinet firewall bug to breach company networks. (TechCrunch) 

CISA is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog. The medium-severity security bug was found as a part of BeyondTrust’s Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. (DarkReading)  

Microsoft rings in 2025 with record security update. Microsoft has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting. (DarkReading)  

Can’t get enough Talos? 

• Slew of Wavlink Vulnerabilities  
• Evolution and Abuse of Proxy Networks 
• Patch Tuesday was a big one 

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands 

Most prevalent malware files from Talos telemetry over the past week  

 SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

  

  

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

 VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Detection Name: Simple_Custom_Detection 

  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: N/A   

Detection Name: Coinminer:MBT.26mw.in14.Talos 

  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   

MD5: 7bdbd180c081fa63ca94f9c22c457376  

  

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 

Typical Filename: c0dwjdi6a.dll  

Claimed Product: N/A   

Detection Name: Trojan.GenericKD.33515991 

Cisco Talos Blog – ​Read More

Overview 

Critical vulnerabilities in Hitachi Energy UNEM Network Management Systems were among the highlights in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report, which also examined flaws in products from Delta Electronics, Schneider Electric and other ICS vendors. 

Cyble Research & Intelligence Labs (CRIL) examined 16 vulnerabilities in the report for clients – half of which affect Hitachi Energy FOXMAN-UN products – based on ICS alerts by the Cybersecurity and Infrastructure Security Agency (CISA) between January 8-14. 

Of the 16 vulnerabilities, two are critical, nine are high severity, and five are medium severity. They span Communication, Critical Manufacturing, Chemical, Energy, Wastewater Systems and Commercial Facilities, and could lead to operational disruption, data compromise, and unauthorized access or exploitation of key functionality in power supply systems, which are foundational to numerous industries. 

Hitachi Energy Vulnerabilities 

The Hitachi Energy vulnerabilities include improper authentication, buffer overflow, excessive authentication attempts, hard-coded passwords, and cleartext storage of sensitive information, underscoring the systems’ complexity and potential attack surfaces. 

CVE-2024-2013, a 10.0-severity authentication bypass vulnerability in FOXMAN-UN, UNEM servers and API Gateways, could allow attackers without credentials to access the services and the post-authentication attack surface. 

CVE-2024-2012, a 9.8-severity authentication bypass vulnerability in the network management products, could allow attackers to execute commands or code on UNEM servers, potentially allowing sensitive data to be accessed or changed. 

The vulnerabilities were first reported in June 2024, but were the subject of a CISA advisory this week that cited the vulnerabilities’ low complexity and ability to be exploited remotely. CISA also cited six additional Hitachi Energy vulnerabilities, with CVSS v3 scores ranging from 4.1 to 8.6. 

While some of the affected products can be patched with updates, Hitachi Energy notes that UNEM R16A and UNEM R15A are end of life (EOL) and recommends that users upgrade to UNEM R16B PC4 or R15B PC5 in addition to applying recommended mitigations. 

Schneider Electric and Delta Electronics Vulnerabilities 

Schneider Electric’s vulnerabilities, primarily in HMI and control system software, highlight the challenges in securing operational technology (OT) interfaces.  

CVE-2024-11999 is an 8.7-rated Use of Unmaintained Third-Party Components vulnerability in Harmony HMI and Pro-face HMI automation components that could allow complete control of the device if an authenticated user installs malicious code into the HMI product. 

CVE-2024-10511 is an Improper Authentication vulnerability in PowerChute Serial Shutdown UPS management software. 

CVE-2024-8306 is an Improper Privilege Management vulnerability in Vijeo Designer HMI Configuration Software that could allow unauthorized access when non-admin authenticated users try to perform privilege escalation by tampering with the binaries. 

CVE-2024-8401is a Cross-site Scripting (XSS) vulnerability in EcoStruxure power monitoring and operation products. 

The three Delta Electronics vulnerabilities are all high-severity Remote Code Execution flaws tied to its DRASimuCAD design software: CVE-2024-12834, CVE-2024-12835 and CVE-2024-12836. 

Recommendations for Mitigating ICS Vulnerabilities  

Cyble recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include: 

1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

2. Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. 

4. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors. 

6. Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats. 

7. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion 

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. 

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post ICS Vulnerability Report: Hitachi Energy Network Management Flaw Scores a Perfect 10 appeared first on Cyble.

Blog – Cyble – ​Read More