security awareness training

Attacking FortiNAC Devices: Experts Advise Updating

A serious vulnerability in Fortinet’s FortiNAC network access control suite (CVE-2022-39952) is now being exploited by hackers to add a cron job that starts a reverse shell on vulnerable systems as the root user. This unauthenticated file path modification vulnerability poses a major security risk for enterprises using the FortiNAC solution because it may be used to execute commands remotely.

Fortinet has already released security upgrades to remedy the issue, and has recommended that users update susceptible appliances to the most recent versions. As the corporation hasn’t offered any mitigation advice or workarounds, updating is the only option to prevent attacks. Researchers from cybersecurity firms, including Shadowserver Foundation, GreyNoise, and CronUp, have recently observed attacks on CVE-2022-39952 from a variety of IP addresses. This indicates that attackers have already started focusing on unpatched FortiNAC devices.

Horizon3 security researchers have created proof-of-concept (PoC) exploit code which allows hackers to add a cron task that starts a reverse shell on vulnerable systems. Fortinet had previously issued a warning in December 2022 to customers to patch FortiOS SSL-VPN appliances against an actively exploited security flaw (CVE-2022-42475), which was also used as a zero-day in attacks against targets associated with the government.

In reaction to what it called “sensationalized claims” about recent exploitation attempts aimed at a vulnerability in its FortiNAC network access control product, Fortinet has offered some crucial clarifications. The company emphasized that it is yet unclear how exploiting CVE-2022-39952 will actually affect users. However, FortiNAC users should be aware of the possible hazard, as knowledgeable threat actors have been known to attack Fortinet products.

FortiNAC administrators are highly advised to update their software right away to a version of the software that is not impacted by the CVE-2022-39952 vulnerability. This includes FortiNAC versions 9.4.1 or later, 9.2.6 or later, 9.1.8 or newer, and 7.2.0 or later. Organizations may stop hackers from using this important vulnerability to gain access to their corporate networks by heeding this advice.

At nGuard, we understand the importance of proactive security measures to protect our clients from the evolving threat landscape. That’s why we offer a range of security services designed to help detect vulnerabilities like the FortiNAC vulnerability, including internal penetration testing, vulnerability management, and strategic security assessments. Our team of experts can work with clients to develop and implement policies and procedures to ensure they can quickly identify and address security threats, and stay up-to-date on emerging vulnerabilities through our security advisories. By partnering with nGuard, clients can rest assured that they have access to the latest security technologies and expertise to help them stay one step ahead of the threats.

Are You Prepared for the New Cyber Insurance Requirements?

As cyberattacks increase worldwide, insurance companies are tightening their cyber insurance policy requirements. This is due to the 80% rise in ransomware attacks last year, leading to a large number of claims. Among the new provisions are the requirement for multi-factor authentication (MFA) for all admin access and the protection of all privileged accounts. However, identifying gaps in MFA and privileged account protection within a network can be challenging for organizations. In addition to MFA, there are several other requirements that stipulate detailed attestation when filling out a cyber policy questionnaire. A few of those requirements are:

Security Awareness Training and Testing
This process is designed to educate employees on cyber security threats and risks, and to test their understanding of these issues through interactive simulations and assessments. The goal is to raise awareness, increase knowledge, and promote safe online behavior within an organization. To reduce your risk of phishing attacks, nGuard has been conducting Security Awareness Training and phishing testing though our Social Engineering Assessment for years.
Vulnerability Management
A thorough vulnerability management program will identify, assess, and prioritize vulnerabilities in an organization’s systems and networks, and take action to remediate or mitigate these risks to prevent exploitation. This helps maintain the security and integrity of systems and data by staying on top of vulnerabilities as they are discovered. Conducting monthly or quarterly vulnerability scans on an ongoing basis will not only help meet insurance requirements but also keep your network secure. nGuard’s Vulnerability Management can help you manage your external environment, internal environment, and meet PCI requirements with ASV scanning.
24/7/365 Monitoring
A Security Information and Event Management (SIEM) system collects and aggregates log data from various sources within an organization and uses analytics and threat detection techniques to identify potential security incidents and enable security teams to respond promptly. SIEM provides centralized security visibility and event correlation. nGuard’s managed security team performs both manual and automated daily log analysis that proactively detects suspicious activity in your environment with our managed SIEM service called Managed Event Collection & Correlation. nGuard is adding artificial intelligence and machine learning to detect and respond to security threats in real-time via UEBA (User and Entity Behavior Analytics).
Secured, Encrypted, Offsite Backups
Offsite backups refer to the storage of backup data at a remote location, typically in a secure data center, separate from the primary data storage. This helps ensure that the data can be recovered in case of a disaster or cyberattack and protected against data loss while minimizing downtime. Offsite backups are an important component of a comprehensive disaster recovery plan. A Strategic Security Assessment utilizing the Center for Internet Security (CIS) 18 Critical Security Controls as the foundation can help bring the lack of controls like this and others to light.
Endpoint Detection & Response (EDR)
This real-time security solution will monitor and respond to security threats on endpoint devices such as computers and servers using artificial intelligence and machine learning to detect and isolate security incidents.

As insurance carriers adjust the requirements to obtain and maintain coverage, a thorough assessment can help organizations identify and close security gaps to help meet the new cyber insurance requirements and improve their overall security posture. nGuard has a number of solutions that can help meet and exceed the requirements needed to obtain and maintain cyber insurance.

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10^th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

CVE-2022-3385 and CVE-2022-3386 (CVSS scores: 9.8) – Two stack-based buffer overflow flaws that could lead to remote code execution
CVE-2022-3387 (CVSS score: 6.5) – A path traversal flaw that could enable a remote attacker to delete arbitrary PDF files

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS a d visories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.