- The top attacker country was China with 127557 unique attackers (33.39%).
- The top Trojan C&C server detected was Lokibot with 10 instances detected.
- The top phishing campaign detected was against Facebook accounts with 44 instances detected.
Over 500 Australian Fortinet customers including Government agencies and internal departments as well as
iconic organisations within the Australian finance and banking sector, have had their FortiGate IPs and other sensitive credentials leaked on a prominent hacker forum. An unknown hacker posted a list of one-line exploits
for CVE-2019-13379 to steal VPN credentials from vulnerable target devices.
These remote command execution vulnerabilities affect over 1.5 million devices globally, and with no automatic update mechanism included within Fortinet's appliance, many affected systems will remain unpatched for the foreseeable future. Additionally, even if the affected Fortinet VPNs are later patched, those passwords can be reused by anyone with access to the leaked data and potentially regain control to the VPNs.
Critical summary of CVE-2019-13379:
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to
6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to
download system files via special crafted HTTP resource requests.
This vulnerability has been chained with improper permissions set on the SSL VPN session file which can be accessed through path traversal from the Webroot in a publicly disclosedPoC exploit released 11/08/2019.
COVID-19 DOCUMENTATION HACK
The European Medicines Agency (EMA) which controls the use of medicines across the European Union, has been a target of a cyberattack. With the attack focusing on documentation relating to the regulatory submission for Pfizer and BioNtech's COVID-19 vaccine candidate BNT162b2.
The Agency has launched a full investigation with close cooperation with law enforcement and other relevant entities. No additional information concerning the cyberattack has been released.
GOOGLE PLAY CORE LIBRARY
A security flaw has been located within Google Play Core Library, placing hundreds of millions of Android users at risk. The CVE-2020-8913 is a local-code-execution vulnerabilitywhich resides within the SplitCompat.install endpoint in Android's Play Core Library. Thissecurity flaw provides cybercriminals with the opportunity to gain code execution inside popular applications located within the Google Play Store, allowing them to have the same data access as those vulnerable applications.
Top Attackers By Country
Top Attackers By Country
- United States
Top Attacking Hosts
Top Network Attackers
|32329||United States||MONKEYBRAINS, US|
|4134||China||CHINANET-BACKBONE No.31,Jin-rong Street, CN|
|14618||United States||AMAZON-AES, US|
|4837||China||CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN|
Remote Access Trojan C&C Servers Found
|AgentTesla||3||22.214.171.124 , 126.96.36.199 , 188.8.131.52|
|AzorUlt||4||184.108.40.206 , 220.127.116.11 , 18.104.22.168 , 22.214.171.124|
|BlackNet||2||126.96.36.199 , 188.8.131.52|
|CobaltStrike||2||184.108.40.206 , 220.127.116.11|
|DiamondFox||2||18.104.22.168 , 22.214.171.124|
|Heodo||3||126.96.36.199 , 188.8.131.52 , 184.108.40.206|
|Keitaro||2||220.127.116.11 , 18.104.22.168|
|Kpot||2||22.214.171.124 , 126.96.36.199|
|Lokibot||10||188.8.131.52 , 184.108.40.206 , 220.127.116.11 , 18.104.22.168 , 22.214.171.124 , 126.96.36.199 , 188.8.131.52 , 184.108.40.206 , 220.127.116.11 , 18.104.22.168|
|Oski||2||22.214.171.124 , 126.96.36.199|
|Predator||3||188.8.131.52 , 184.108.40.206 , 220.127.116.11|
|Redirected||2||18.104.22.168 , 22.214.171.124|
|TrickBot||7||126.96.36.199 , 188.8.131.52 , 184.108.40.206 , 220.127.116.11 , 18.104.22.168 , 22.214.171.124 , 126.96.36.199|
Trojan C&C Servers Detected
Top Phishing Campaigns
CVEs with Recently Discovered Exploits
This is a list of recent vulnerabilities for which exploits are available.
CVE-2020-4006VMware Workspace One Access Command Injection Vulnerability
|VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.||CVSSv3BaseScore:7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)||11/23/2020||12/10/2020|
CVE-2020-17049Microsoft Kerberos Security Feature Bypass Vulnerabilit
|A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.||CVSSv3BaseScore:7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)||11/11/2020||11/23/2020|
CVE-2020-4463IBM Maximo Asset Management External Entity Injection Vulnerability
|IBM Maximo Asset Management is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.||CVSSv3BaseScore:8.2(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)||07/29/2020||07/30/2020|
CVE-2020-17140Microsoft Windows SMB Information Disclosure Vulnerability
|Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file.||CVSSv3BaseScore:8.1(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)||12/09/2020||12/11/2020|
CVE-2020-8913Google Android Play Core Library Arbitrary Code Execution Vulnerability
|A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library. A malicious attacker could create an app which targets a specific application, and if a victim were to install this app, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device.||CVSSv3BaseScore:8.8(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)||08/12/2020||08/31/2020|
CVE-2020-1971OpenSSL EDIPARTYNAME NULL pointer de-reference Vulnerability
|A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.||CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)||12/08/2020||12/10/2020|
CVE-2020-9844MacOS Catalina Memory Corruption Vulnerability
|A double free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.||CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)||06/09/2020||10/16/2020|
CVE-2020-28914Kata Containers Improper File Permissions Vulnerability
|An improper file permissions vulnerability affects Kata Containers. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.||CVSSv3BaseScore:7.1(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)||11/17/2020||12/04/2020|