1 min read
Critical Advisory Notice for SquirrelWaffle and Qakbot
In September 2021, multiple security research teams observed and reported email reply-chain attacks that distributed new SquirrelWaffle Loader and...
24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management
CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support
If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.
Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.
At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.
3 min read
Cyrus Robinson : Dec 14, 2022 12:00:00 AM
This security advisory notice addresses the critical unauthenticated remote code execution vulnerability in FortisOS: CVE-2022-42475. Read on to learn about this vulnerability, the impact, and the mitigation and patching recommendations.
This advisory specifically applies to the following Fortinet products:
Heap-based buffer overflow vulnerability in sslvpnd which can allow unauthenticated remote code execution using specially crafted requests.
FortiGuard Labs has confirmed at least one instance of exploitation “in the wild”. This suggests that further weaponization and exploitation is active and imminent.
CVE-2022-42475
On December 09, 2022, Olympe CyberDefense, a France-based cyber threat intelligence vendor, posted an alert on their website about the then undisclosed zero-day vulnerability in FortiOS ssl-vpn. A few days later, on December 12, 2022, FortiGuard Labs posted a public official PSIRT advisory formalizing the flaw as CVE-2022-42475. FortiGuard has included in their advisory a short list of Indicators of Compromise (IoCs) to validate against any Fortinet systems. The following IOCs are as follows:
IoC #1 - Multiple log entries with:
IoC #2 - Presence of the following artifacts in the filesystem:
IoC #3 - Connections to suspicious IP addresses from the FortiGate, including:
This buffer overflow vulnerability can allow an unauthenticated attacker to perform operations on the administrative interface, manipulate dynamic resources of certain processes, execute arbitrary code via a remote devices and execution of other malicious artifacts.
Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.
For clients who can not immediately patch vulnerable systems:
For clients who can immediately patch vulnerable systems:
The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threathunting and analysis.
Implement the above mitigation actions on every affected Fortinet appliance in your environment and roll out the latest patches as soon as possible.
Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact dennis.zanoni@iinfosec.com for more information.
1 min read
In September 2021, multiple security research teams observed and reported email reply-chain attacks that distributed new SquirrelWaffle Loader and...
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted...
CVE-2021-1675(akaPrintNightmare) is a vulnerability in the built-in Windows “Print Spooler” service. Microsoft released a patch for CVE-2021-1675as