FBI and CISA warn APTs using 3 Fortinet bugs for access per The Record

If you are running Fortinet, and have an unpatched version of the FortiOS, operating system, you’re gonna be going hunting but not for Easter eggs. Like many recently had to do with their on-prem Exchange servers, you need to go looking for signs of uninvited guests.

Both CISA and the FBI have released a joint report warning that state-backed, well-resourced adversaries (maybe possibly from Iran and China) are leveraging any or all of trio of bugs “to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks”. This would be the second joint report regarding a Fortinet security issue they have released, with the earlier one in October 2020.

The three security bugs you should have patched and now will are: CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591. But remember – patching after exploitation won’t protect you if they’re already in your network. And you don’t know that unless you go looking.

Breach: Capital One warns of more exposure from 2019 per Bleeping Computer

Capital One has warned more customers that their SSNs were exposed in a data breach from July 2019. This would be the AWS GitHub theft involving Paige Thompson. Unfortunately it didn’t stop at Capital One. Other companies include Ford, Vodaphone and Michigan State U. The additional SSNs came to light when the bank used new tools to sift through and learned that indeed those SSNs they said weren’t taken actually were. Lessons here about penalties for failure to disclose all the info at the time as per regulations. And to conclude that if it was accessible, it was taken.

Zero-day warning for unsupported, out-dated QNAP storage devices per Threatpost

QNAP NAS or network access storage devices are pretty common. Which makes they them choice targets for attack, especially since they don’t always stay updated, monitored and maintained. We know what happened to thing neglected and unprotected, right?

APT easy as 1-2-3

Two critical zero-day bugs affect legacy QNAP model TS-231 systems: CVE-2020-2509 and CVE-2021-36195. We are talking unauthenticated RCE meaning an attacker doesn’t need credentials. The bugs affect some non-legacy systems too, but those now have patches available. There are a whole lotta boxes out there so take the time, check yours against this list, and update what you can.

Shout out to my security-aware colleague Chuck – this is why I watch for QNAP 😊.