Popular Post
NEWS
黑客攻撃急增 數碼港增培訓助測試 提升初創抵禦能力
近年企業遭受黑客入侵及網絡攻擊日益嚴重,企業必須加強網絡安全抵禦力,保障業務及客戶數據安全...
SEE DETAILS
NEWS
CyberBay 簡培欽談道德黑客功效
RTHK • Dec 18, 2023
CEO Felix Kan participated in a enlightening interview with 勞家樂 (LoKa Lok) on RTHK's 一桶金之財經新思維 program. Covering topics from bug bounties to crowdsourcing security, he simplified complex concepts, discussed industry trends, and emphasized the vital role of fostering cybersecurity specialists for digital transformation.
PRESS
OGCIO x HKIRC Cybersecurity Symposium
Cyberbay • Dec 14, 2023
An exceptional day unfolded at the Cybersecurity Symposium 2023! Gratitude extends to OGCIO and Hong Kong Internet Registration Corporation Limited (HKIRC) for their crucial collaboration, instrumental in bringing this event to fruition. Acknowledging everyone who explored our booth, demonstrating keen interest in our cybersecurity solutions. The keynote speech by our CEO, Felix Kan, marked a significant milestone as the first speaker, emblematic of our local company's growth in Hong Kong. Sharing and connecting at the event provided a delightful platform to exchange insights on new technologies with existing clients and new acquaintances from the cybersecurity community in Hong Kong and mainland China. The engagement and enthusiasm witnessed inspire us to persist in innovating within our dynamic field. We take immense pride in being a Hong Kong-based cybersecurity company, and your support strengthens our resolve to contribute to a more secure digital future. Looking forward to welcoming more corporates onboard!
PRESS
Game-changing partnership: Cyberbay X OneInfinity by OneDegree
Cyberbay • Oct 6, 2023
Our partnership with OneDegree, Asia's digital asset insurance leader, offers robust protection for your digital assets. What's in it for you? We're bundling a cyber incident warranty powered by OneInfinity by OneDegree, ensuring your peace of mind. Combining crowdsourcing, continuous assessment, and warranty, we've got your back against cybersecurity threats. Experience peace of mind with our up to 200% protection guarantee. Our founder, Felix Kan, emphasized that CyberBay proactively assesses digital asset vulnerabilities for businesses. Our partnership with OneInfinity by OneDegree provides clients with enhanced cybersecurity protection, aligning with our ambition to create a bug-free cyber world.
PRESS
Cyberbay與香港警務處「狩網運動 2023」圓滿結束 60家參與企業及機構 約八成存網絡漏洞
Cyberbay • Sep 5, 2023
數碼港網絡漏洞檢測初創Cyberbay與香港警務處攜手合作的首屆「狩網運動」已圓滿結束。為期兩個月的活動成功推動本地企業、數碼初創公司、非牟利團體及公營機構建立網絡安全保護和提升對網絡威脅的意識。參與企業及機構成功透過免費網絡漏洞測試 (Bug Bounty),了解其業務網絡安全狀況,並獲得相關的網絡安全報告及一對一專業網絡安全諮詢,以加強其網絡安全狀態的掌握。 今年的「狩網運動」吸引了60家企業及機構積極參與,超過一半是初創公司或中小企業,三成為非牟利團體及公營機構。參與的行業包括金融、科技、旅遊、醫療、教育、製造業等,反映各行業對網絡安全的關注程度日益上升。 在為期兩個月的活動期間,網絡安全專才共發現了197個網絡安全漏洞,其中有一成屬於嚴重漏洞,四成屬於高風險漏洞。參與的企業和機構中,有八成存在網絡漏洞,其餘在活動結束前尚未發現有網絡安全漏洞。大部分參與的企業和機構已經具備了固定的網絡安全措施。本次「狩網運動」的舉辦成功展示了該計劃能為企業的網絡安全增加額外的防護層。 網絡安全建議方面,每個企業或機構平均得到4個整改方案,當中一半方案屬於高風險的優先改善項目,需要盡快處理並修正,包括協助企業及機構保護客戶資料、保障業務帳戶及防範電子郵箱被用作釣魚詐騙工具。這些數字除突顯是次運動能成功揭示各行業在網絡安全方面的潛在威脅外,同時亦反映部分企業在保護其數碼業務方面表現出色。 運動進行期間,超過 60 位本地網絡安全專才亦在協助企業及機構找出漏洞及發佈漏洞報告上作出重大貢獻,前3名本地網絡安全專才在兩個月內共獲得了超過170,000港元的獎勵。由此可見,賞金獵人在檢測參與上的卓越表現,同時亦有助鼓勵更多數碼專才,加入網絡安全行業,透過參與新興的網絡安全漏洞檢測服務,為企業找出潛在漏洞,賺取賞金收入同時,為香港建立更安全的數碼業務環境。 參與運動的企業及機構收到漏洞報告後,仍需要修復漏洞及透過Cyberbay專屬平台進行重新檢測。重新檢測數據顯示,相比傳統網絡安全測試方法,Bug Bounty網絡安全漏洞檢測服務成本更低,速度更快。目前透過傳統網絡安全測試方法,平均需要60-150天修復漏洞,而參與運動的企業平均只需要兩星期來完成漏洞修復,最快修復時間為9天。 這次活動讓企業機構成功了解其業務網絡安全狀況,網絡安全專才亦能在當中體驗實用檢測技巧,展現實力。今後Cyberbay將繼續與香港警務處攜手合作,透過未來「狩網運動」,更精準、更針對性地提升個別行業網絡安全表現,同時亦繼續培育本地網絡安全專才,吸引更多數碼專才加入Bug Bounty網絡安全漏洞檢測服務,擴大人才庫,全面提高香港在網絡安全和整體創科環境中的競爭力。 <hr/> 根據香港警務處公佈的數據,2023年上半年本港科技罪案共有15,637宗,比去年同期10,613宗飇升近一半(47.3% 或 +5,024宗),損失共$20.3億港元,上升28%(+$4億5千萬港元)。科技罪案佔整體42,923 宗罪案的比例超過36%(36.4%)。
BLOG
PaperCut Unauthenticated Remote Code Execution (RCE) Vulnerability (CVE-2023-39143)
Dark Lab • Aug 8, 2023
CVE-2023-39143 refers to two path traversal vulnerabilities that may be chained together by malicious actors to read and write arbitrary files. Successful exploitation enables an unauthenticated attacker to read, delete, and upload arbitrary files to the PaperCut MF/NG server to achieve RCE in certain configurations. The vulnerability only impacts PaperCut servers running on Windows. Exploitation is conditional, requiring the attacker to have direct server IP access and RCE via file upload is only possible when the external device integration setting is enabled. This setting is enabled by default on certain installations of PaperCut (e.g. PaperCut NG Commercial version or PaperCut MF). Whilst CVE-2023-39143 has not been observed to be exploited in the wild as at the time of writing, we observed mass exploitation of a similar unauthenticated RCE vulnerability CVE-2023-27350 in April 2023 which was weaponised by opportunistic ransomware groups (e.g. Cl0p, LockBit, Bl00dy ransomware), as well as multiple advanced persistent threat (APT) actors. The vendor has released a patch to remediate CVE-2023-39143. A temporary workaround until the patch can be applied is to configure an allowlist of device IP addresses that are allowed to communicate with your Internet-facing PaperCut server. <a href="https://www.papercut.com/kb/Main/SecureYourPaperCutServer/" style="text-decoration: underline;">https://www.papercut.com/kb/Main/SecureYourPaperCutServer/</a> <a href="https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/" style="text-decoration: underline;">https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/</a> <a href="https://www.rapid7.com/blog/post/2023/05/17/etr-cve-2023-27350-ongoing-exploitation-of-papercut-remote-code-execution-vulnerability/" style="text-decoration: underline;">https://www.rapid7.com/blog/post/2023/05/17/etr-cve-2023-27350-ongoing-exploitation-of-papercut-remote-code-execution-vulnerability/</a>
BLOG
VMware Aria Operations for Logs RCE Vulnerability (CVE-2023-20864) Exploit Code Released
Dark Lab • Jul 13, 2023
CVE-2023-20864 is a critical deserialization vulnerability that enables an unauthenticated attacker with network access to VMware Aria Operations for Logs (formerly vRealize Log Insight) to achieve remote code execution (RCE) as root. Given the vulnerability’s low attack complexity and availability of the exploit code, it is likely that malicious actors will quickly seek to weaponise the vulnerability to infiltrate unpatched instances and perform RCE to carry out their attack. This comes shortly after a similar VMware Aria Operations RCE vulnerability (CVE-2023-20887) in VMware Aria Operations for Networks was observed to be actively exploited by malicious actors in June 2023. VMware advises customers to apply the latest patch to remediate susceptibility to CVE-2023-20864 and the other patched vulnerabilities. No further workarounds have been advised. <a href="https://www.vmware.com/security/advisories/VMSA-2023-0007.html" style="text-decoration: underline;">https://www.vmware.com/security/advisories/VMSA-2023-0007.html</a>
BLOG
PoC Release for Critical Pre-Authentication RCE Vulnerability in Citrix Content Collaboration (CVE-2023-24489)
Dark Lab • Jul 13, 2023
On 13 June, Citrix released a security advisory and patch for a critical remote code execution (RCE) vulnerability (CVE-2023-24489) in their ShareFile Storage Zones Controller, impacting Citrix Content Collaboration. On 4 July, a Proof-of-Concept (PoC) has been released and we have since observed interest on dark web hacking forums to weaponise a PoC exploit for the vulnerability. Furthermore, we observe a similar vulnerability (CVE-2021-22941) impacting Citrix ShareFile listed on CISA’s Known Exploited Vulnerabilities Catalog. The 2021 vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog in April 2022 after researchers detected a notorious initial access broker, PROPHET SPIDER, exploiting CVE-2021-22941 to gain unauthorised access to the underlying Microsoft Internet Information Services (IIS) webserver. We posit that the vulnerability will quickly be weaponised by malicious actors and urge impacted users to apply the patch immediately, if not already applied. <a href="https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/" style="text-decoration: underline;">https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/</a> <a href="https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489" style="text-decoration: underline;">https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489</a>
BLOG
PoC Released for Cisco AnyConnect Privilege Escalation Vulnerability (CVE-2023-20178)
Dark Lab • Jun 29, 2023
On 7 June, Cisco released a security advisory regarding a privilege escalation vulnerability impacting Cisco AnyConnect VPN products (CVE-2023-20178). A low-privileged, authenticated, local attacker can exploit the specific Windows installer process to elevate their privileges to those of SYSTEM. A Proof of Concept (PoC) has since been released and whilst no exploitation attempts have been observed as at the time of writing, we suspect that malicious actors will seek to weaponise the vulnerability post-infiltration. We recommend applying the latest patch to mitigate against potential exploitation attempts, given the release of the PoC. <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw" style="text-decoration: underline;">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw</a> <a href="https://github.com/Wh04m1001/CVE-2023-20178" style="text-decoration: underline;">https://github.com/Wh04m1001/CVE-2023-20178</a>
BLOG
Remote Code Execution Vulnerability in Fortinet FortiNAC (CVE-2023-33299)
Dark Lab • Jun 29, 2023
On 23 June, the vendor released a security advisory for a critical remote code execution (RCE) discovered in Fortinet’s FortiNAC products (CVE-2023-33299). The vulnerability exists due to a deserialisation of untrusted data flaw that enables an unauthenticated attacker to execute unauthorised code or commands via specially crafted requests to the TCP/1050 service. Given exploitation can be performed by an unauthenticated attacker to achieve RCE, we hypothesise that malicious actors will quickly seek to weaponise the vulnerability to infiltrate victims and subsequently perform RCE. Due to its ability to enable unauthenticated threat actors to achieve RCE, we posit that threat actors will quickly weaponise the publicly disclosed PoC to infiltrate vulnerable FortiNAC environments and perform subsequent RCE to achieve their intended goal. We recommend impacted users to apply the latest patch to remediate susceptibility to CVE-2023-33299. <a href="https://www.fortiguard.com/psirt/FG-IR-23-074" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-23-074</a>
BLOG
New MOVEit Transfer Critical Vulnerability (CVE-2023-35036)
Dark Lab • Jun 13, 2023
Shortly after the disclosure of the actively exploited zero-day vulnerability in Progress' MOVEit File Transfer software (CVE-2023-34362), Progress has released a new security advisory for a new SQL injection vulnerability impacting MOVEit Transfer, CVE-2023-35036. Exploitation of CVE-2023-35036 could enable an unauthenticated attacker to gain unauthorised access to the MOVEit Transfer database. Given the active exploitation of CVE-2023-34362 by Cl0p ransomware actors, we posit that Cl0p ransomware operators will quickly weaponise CVE-2023-35036 to expand their targeting. Customers using MOVEit's products are strongly advised to apply the latest patch to remediate susceptibility to the vulnerabilities. <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023" style="text-decoration: underline;">https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023</a>
BLOG
Google Chrome Zero-Day Vulnerability Actively Exploited by Unknown Threat Actors (CVE-2023-3079)
Dark Lab • Jun 8, 2023
On 5 June 2023, Google Chrome released a new security advisory with an urgent patch available for a newly discovered zero-day vulnerability (CVE-2023-3079) impacting Chrome. This is the third actively exploited zero-day in Chrome since the start of 2023, including the previously reported vulnerabilities; CVE-2023-2033 type confusion in V8 vulnerability and CVE-2023-2136, integer overflow in Skia vulnerability. Google Chrome vulnerabilities are quickly weaponised by malicious actors given Chrome's wide net use and significant targeting surface. We recommend updating to the patched version and monitoring for unusual network traffic activity. <a href="https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html" style="text-decoration: underline;">https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html</a>
BLOG
Cl0p Ransomware Actors Exploit Zero-Day Vulnerability in MOVEit Transfer Software (CVE-2023-34362)
Dark Lab • Jun 8, 2023
On 5 June 2023, Progress disclosed a critical zero-day vulnerability (CVE-2023-34362) in their MOVEit Transfer technology. On 6 June 2023, the Ransomware-as-Service (RaaS) operator Cl0p claimed responsibility for the attacks on their data leak site. This is the group's second major exploitation of a zero-day in the last three months, after their mass exploitation of the zero-day vulnerability in GoAnyWhere's Managed File Transfer (MFT) in February 2023. It is recommended that anyone leveraging MOVEit applications patch the vulnerable assets immediately and perform a search of historical logs for potential indicators of intrusion. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a" style="text-decoration: underline;">https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a</a> <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023" style="text-decoration: underline;">https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023</a>
BLOG
Zyxel security advisory for multiple buffer overflow vulnerabilities of firewalls (CVE-2023-33009, CVE-2023-33010)
Dark Lab • May 29, 2023
On 24 May 2023, Zyxel released a security advisory alerting customers of two critical buffer overflow vulnerabilities that may allow an unauthenticated attacker to perform a denial-of-service (DoS) attack or remote code execution in their firewall and VPN products. Though no exploitation attempts have been observed as at the time of writing, we suspect malicious threat actors will quickly seek to weaponise the critical vulnerabilities, given past exploitation of similar Zyxel vulnerabilities. The vendor has released a patch to remediate potential exploitation of the buffer overflow vulnerabilities. No further workarounds have been disclosed. <a href="https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls" style="text-decoration: underline;">https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls</a>
BLOG
PaperCut Print Management Software Vulnerability (CVE-2023-27350 and CVE-2023-27351)
Dark Lab • Apr 27, 2023
On 19th April 2023, PaperCut released a security advisory alerting customers of unpatched servers vulnerable to an unauthenticated RCE vulnerability (CVE-2023-27350) and authentication bypass vulnerability (CVE-2023-27351) being exploited in the wild. On 24 April 2023, security researchers released a PoC writeup showcasing the ease of exploiting CVE-2023-27350. Suspected Russian-origin threat actors have been observed to exploit the PaperCut RCE vulnerability as researchers observe a PowerShell command to download and execute setup.msi, a legitimate installer for the Atera remote management and maintenance (RMM) software. This enabled the attacker to gain persistent remote access and RCE on the compromised device via the installed RMM. We recommend impacted organisations to apply the patches immediately given the active exploitation and ability for malicious actors to obtain RCE capabilities via CVE-2023-27350. Further, given active exploitation by unknown threat actors, we recommend organisations deploying vulnerable versions of Papercut to perform threat hunting to identify anomalous activity or any indicators of compromise. <a href="Vendor Advisory: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#zdi-can-19226-po-1219" style="text-decoration: underline;">Vendor Advisory: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#zdi-can-19226-po-1219</a> <a href="PoC: https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py" style="text-decoration: underline;">PoC: https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py</a> <a href="Exploitation: https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software" style="text-decoration: underline;">Exploitation: https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software</a>
BLOG
SolarWinds Arbitrary Command Execution and Privilege Escalation Critical Vulnerabilities (CVE-2022-36963 and CVE-2022-47505)
Dark Lab • Apr 25, 2023
On 18 April 2023 the SolarWinds Platform released their latest update including fixes for 4) vulnerabilities, 2 of which are flagged as high severity. The exploitation of the high severity flaws could enable an attacker to execute arbitrary commands and escalate local privileges. Given SolarWinds’ vast utilisation by multiple industries and previous mass exploitation of SolarWinds vulnerabilities by malicious actors, we recommend organisations to apply the latest update to mitigate against potential exploitation. <a href="https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963" style="text-decoration: underline;">https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963</a> <a href="https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47505" style="text-decoration: underline;">https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47505</a>
BLOG
Veeam Backup & Replication Vulnerability (CVE-2023-27532) Exploited by BlackCat Ransomware Affiliate(s)
Dark Lab • Apr 18, 2023
On 17 April 2023, researchers have observed an affiliate of the BlackCat Ransomware-as-a-Service (RaaS) group exploiting the authentication bypass vulnerability (CVE-2023-27532) in Veeam's Backup and Replication. The vulnerability allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. A proof-of-concept (PoC) has been publicly available since 23 March 2023 and showcases the ease of exploitation. Given the active exploitation by BlackCat affiliates, we urge organisations to apply the patch as soon as possible and consider performing threat hunting to identify potential attempts of intrusion. <a href="https://www.veeam.com/kb4424" style="text-decoration: underline;">https://www.veeam.com/kb4424</a> <a href="https://twitter.com/0xMalWar/status/1647852441910775816" style="text-decoration: underline;">https://twitter.com/0xMalWar/status/1647852441910775816</a>
BLOG
Actively Exploited Zero-Day Vulnerability in Google Chrome
Dark Lab • Apr 17, 2023
On 14 April 2023, Google released a security release for an actively exploited zero-day flaw in their Chrome web browser. The vulnerability is a type confusion flaw in the Chrome V8 JavaScript engine, which upon successful exploitation may result in arbitrary code execution. The type confusion vulnerability enables an attacker to potentially exploit heap corruption via a crafted HTML page. The vendor advises organisations to upgrade Chrome to version 112.0.5615.121 to remediate the vulnerability. <a href="https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html" style="text-decoration: underline;">https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html</a>
BLOG
Microsoft Secure Boot Security Feature Bypass Vulnerability (CVE-2022-21894) Exploited by Threat Actors Using the BlackLotus Bootkit
Dark Lab • Apr 13, 2023
On 11 April 2023, Microsoft released guidance for investigating attacks leveraging the Microsoft Secure Boot Security Feature Bypass Vulnerability (CVE-2022-21894) via a Unified Extensible Firmware Interface (UEFI) bootkit, BlackLotus. The UEFI bootkit is available for sale on dark web forums can enable an attacker to achieve remote code execution (RCE) on vulnerable OS systems. Threat actors can leverage the BlackLotus bootkit post-infiltration to establish persistence and evade detection. The malware uses CVE-2022-21894 to bypass Windows Secure Boot and subsequently deploy malicious files to the ESP which are then executed by the UEFI firmware. We recommend organisations running vulnerable Windows versions conduct a threat hunting exercise to identify any potential indicators of compromise. Given the BlackLotus bootkit interferes with various OS security mechanisms (e.g. BitLocker, HVCI, Defender Antivirus), the vendor has provided guidance on alternative detection opportunities that can be leveraged to identify potential indicators of compromise. <a href="https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/" style="text-decoration: underline;">https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/</a>
BLOG
Microsoft Patch Tuesday
Dark Lab • Apr 12, 2023
On 11 April 2023, Microsoft disclosed 97 vulnerabilities in their monthly release of Patch Tuesday. Amongst the vulnerabilities disclosed, 7 were classified as successful exploitation may result in remote code execution. In addition, 1 actively exploited zero-day vulnerability (CVE-2023-28252) was disclosed. The zero-day elevation of privilege vulnerability has been observed to be exploited by the Nokoyawa ransomware group to perform remote code execution with SYSTEM privileges. Microsoft has released the patches for the aforementioned vulnerabilities. In most instances, no workarounds or mitigations are available. <a href="https://msrc.microsoft.com/update-guide/vulnerability" style="text-decoration: underline;">https://msrc.microsoft.com/update-guide/vulnerability</a>
BLOG
IBM Aspera Faspex Vulnerability Actively Exploited by Ransomware Groups (CVE-2022-47986)
Dark Lab • Mar 31, 2023
We observe multiple ransomware actors actively exploiting the IBM Aspera Faspex RCE vulnerability (CVE-2022-47986). The critical vulnerability has been persistently exploited by the Ransomware-as-a-Service (RaaS) operators IceFire and Buhti since early February 2023. The vendor has released a patch to address multiple vulnerabilities including CVE-2022-47986. No further workarounds are available. <a href="https://www.ibm.com/support/pages/node/6952319" style="text-decoration: underline;">https://www.ibm.com/support/pages/node/6952319</a> <a href="https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/" style="text-decoration: underline;">https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/</a> <a href="https://twitter.com/raphaelmendonca/status/1626288868898004993" style="text-decoration: underline;">https://twitter.com/raphaelmendonca/status/1626288868898004993</a> <a href="https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-aspera-faspex-cve-2022-47986/" style="text-decoration: underline;">https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-aspera-faspex-cve-2022-47986/</a>
BLOG
Veeam Backup & Replication Vulnerability (CVE-2023-27532)
Dark Lab • Mar 31, 2023
In early March 2023, Veeam released a security advisory and patch for an authentication bypass vulnerability (CVE-2023-27532) that enables malicious actors to decrypt credentials to obtain access to the backup infrastructure hosts. We have since observed multiple Proof-of-Concepts (PoCs) indicating the potential to achieve remote code execution subsequent to the authentication bypass. Whilst no exploitation attempts have been observed as of yet, we suspect malicious actors will soon seek to exploit vulnerable, exposed Veeam assets. The vendor has issued a patch to remediate the vulnerability. We advise applying the patch given historic mass exploitation of Veeam RCE vulnerabilities. <a href="https://www.veeam.com/kb4424" style="text-decoration: underline;">https://www.veeam.com/kb4424</a> <a href="https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/" style="text-decoration: underline;">https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/</a>
BLOG
Critical Adobe ColdFusion Vulnerability (CVE-2023-26360) Exploited as a Zero-day
Dark Lab • Mar 17, 2023
On 15 March 2023, CISA added a critical Adobe ColdFusion improper access control (CVE-2023-26360) to their Known Exploited Vulnerabilities Catalog as the vulnerability is currently being actively exploited in the wild by malicious actors. The improper access control vulnerability impacting Adobe ColdFusion’s web application development platform enables an unauthenticated attacker to achieve remote code execution on potentially vulnerable hosts. As at the time of writing, no technical details have been disclosed on the vulnerability. Though there is no information regarding the attackers known to exploit the vulnerability, CISA noted that they observe the vulnerability being exploited in the wild in very limited attacks. Given the active exploitation, we urge impacted users to apply the latest patch as soon as possible. We posit that given the ability for exploitation of CVE-2023-26360 to achieve RCE, opportunistic cybercriminals will quickly aim to weaponise CVE-2023-26360, particularly upon release of a PoC. <a href="https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html" style="text-decoration: underline;">https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html</a>
BLOG
SAP releases security updates fixing five critical vulnerabilities
Dark Lab • Mar 17, 2023
On 14 March 2023, SAP released their monthly patch advisory, including five (5) critical vulnerabilities. Vulnerabilities in SAP products are widely exploited by malicious actors the potential to access critical infrastructure and highly sensitive data post-exploitation. We recommend impacted users to apply the patches as soon as possible. While none of the aforementioned vulnerabilities have been observed to be actively exploited by malicious actors, we observe 10 historic SAP vulnerabilities listed on CISA’s Known Exploited Catalog. We advise reviewing publicly-exposed assets for the necessity of Internet-facing deployment and, if necessary, ensure that exposed SAP assets are protected by a reverse proxy in the demilitarised zone. <a href="https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10" style="text-decoration: underline;">https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10</a>
BLOG
Microsoft Patch Tuesday
Dark Lab • Mar 16, 2023
On March 14 2023, Microsoft disclosed a total of 80 vulnerabilities in their monthly release of Patch Tuesday. Amongst the vulnerabilities disclosed, eight (8) are classified as critical vulnerabilities due to the nature of the vulnerabilities potentially allowing for remote code execution and/or elevation of privileges upon successful exploitation. In addition, we note there are two (2) actively exploited zero-day vulnerabilities fixed in the latest patch (CVE-2023-23397 and CVE-2023-24880), one of them was publicly disclosed. CVE-2023-23397 has been reported to be leveraged by a Russia-based threat actor in targeted attacks against a limited number of organisations in government, transportation, energy, and military sectors across Europe. Similarly, the Magniber ransomware group have been observed to exploit the latest zero-day vulnerability (CVE-2023-24880). It is recommended that organisations using affected products to apply the patches immediately. In particular, CVE-2023-23397 and CVE-2023-24880 should be remediated as soon as possible given their active exploitation by malicious actors. <a href="https://msrc.microsoft.com/update-guide/" style="text-decoration: underline;">https://msrc.microsoft.com/update-guide/</a> <a href="https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/" style="text-decoration: underline;">https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/</a>
BLOG
CVE-2022-41328 Fortinet FortiOS Vulnerability Leveraged to Target Governments
Dark Lab • Mar 14, 2023
On 7 March 2023, Fortinet released a security advisory for a medium severity vulnerability (CVE-2022-41328) impacting their FortiOS products. The vulnerability has been observed to be leveraged by an unknown threat actor to target government entities and cause data loss, and OS and file corruption. The path traversal vulnerability enables a privileged attacker to achieve arbitrary code execution via crafted CLI commands. The attacker may have attempted to exploit the vulnerability by uploading files to the FortiGate via a TFTP server to the specified path. The vendor advises that exploitation of the vulnerability requires a sophisticated understanding of FortiOS and the underlying hardware. The current attack is highly targeted, with observed targeting against government and government-related targets. The vendor advises upgrading to a patched version of FortiOS as soon as possible to mitigate potential exploitation. <a href="https://www.fortiguard.com/psirt/FG-IR-22-369" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-22-369</a> <a href="https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis" style="text-decoration: underline;">https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis</a>
BLOG
Adobe Acrobat Reader DC RCE Vulnerability (CVE-2023-21608)
Dark Lab • Mar 14, 2023
Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file by persuading a victim to open a specially-crafted document, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash. Adobe recommends users update their software installations to the latest versions <a href="https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608" style="text-decoration: underline;">https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608</a> <a href="https://securityonline.info/poc-exploit-for-adobe-acrobat-reader-dc-rce-vulnerability-cve-2023-21608-released/" style="text-decoration: underline;">https://securityonline.info/poc-exploit-for-adobe-acrobat-reader-dc-rce-vulnerability-cve-2023-21608-released/</a> <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-21608" style="text-decoration: underline;">https://nvd.nist.gov/vuln/detail/CVE-2023-21608</a> <a href="https://helpx.adobe.com/security/products/acrobat/apsb23-01.html" style="text-decoration: underline;">https://helpx.adobe.com/security/products/acrobat/apsb23-01.html</a>
BLOG
Fortinet Critical Remote Code Execution (RCE) Vulnerabilities (CVE-2022-39952 and CVE-2021-42756)
Dark Lab • Mar 14, 2023
CVE Number: CVE-2022-39952 CVE Score: 9.8 Affected Products: FortiNAC : 9.4.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.1, 9.2.0, 9.1.7, 9.1.6, 9.1.5, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1.0, 8.8.9, 8.8.8, 8.8.7, 8.8.6, 8.8.5, 8.8.4, 8.8.3, 8.8.2, 8.8.11, 8.8.10, 8.8.1, 8.8.0, 8.7.6, 8.7.5, 8.7.4, 8.7.3, 8.7.2, 8.7.1, 8.7.0, 8.6.5, 8.6.4, 8.6.3, 8.6.2, 8.6.1, 8.6.0, 8.5.4, 8.5.3, 8.5.2, 8.5.1, 8.5.0, 8.3.7 Impact: RCE PoC: To be released by security researchers Exploit in the wild: No Discussion in SOCINT/DARKINT: Yes Known TA exploiting this CVE: NA IoC: NA CVE Number: CVE-2022-39952 CVE Score: 9.3 Affecting Products: FortiWeb : 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.16, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.9.1, 5.9.0, 5.8.7, 5.8.6, 5.8.5, 5.8.3, 5.8.2, 5.8.1, 5.8.0, 5.7.3, 5.7.2, 5.7.1, 5.7.0, 5.6.2, 5.6.1, 5.6.0 Impact: RCE PoC: No Exploit in the wild: No Discussion in SOCINT/DARKINT: Yes Known TA exploiting this CVE: NA IoC: NA The vendor advises end users leveraging vulnerable versions of FortiNAC and FortiWeb to apply the latest patches as soon as possible to remediate the vulnerabilities. No further workarounds or mitigations have been disclosed. <a href="https://www.fortiguard.com/psirt/FG-IR-22-300" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-22-300</a> <a href="https://www.fortiguard.com/psirt/FG-IR-21-186" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-21-186</a>
BLOG
CISA adds Fortra GoAnyWhere MFT RCE Vulnerability (CVE-2023-0669) to their Known Exploited Vulnerabilities Catalog
Dark Lab • Mar 14, 2023
Affected Products: GoAnywhere MFT Impact: RCE PoC: Yes - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html Exploit in the wild: Yes Discussion in SOCINT/DARKINT: Known TA exploiting this CVE: TA505, Cl0p Ransomware IoC: As soon as possible, please follow the steps below to determine whether the GoAnywhere MFT instance(s) you have running have been targeted for this exploit. Search for the following: Errors containing the text “/goanywhere/lic/accept” NOTE: By default there are 10 logs that are archived when a log size reaches 5 MB. [system_name] represents each system or node in your cluster. You should search all of these 10 archive logs for all systems/nodes search the userdata/logs/[system_name]-goanywhere.log* files on your system in your cluster. Standalone (non-HA) logs will be goanywhere.log, goanywhere.log1, goanywhere.log2, etc.) Errors containing the text “Error parsing license response” The following additional error has been observed and may further confirm unauthorized access has taken place: java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171) at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721) at java.util.PriorityQueue.siftDown(PriorityQueue.java:687) at java.util.PriorityQueue.heapify(PriorityQueue.java:736) at java.util.PriorityQueue.readObject(PriorityQueue.java:796 Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2. Successful exploitation requires access to the admin console of the application, which in most cases is accessible via a private company network, via VPN, or by allow-listed IP addresses. If the admin console is publicly-exposed, access controls are required to limit trusted sources and minimize the risk of infiltration by malicious actors. Only the administrative interface is susceptible to exploitation, public-facing Web Client interfaces are not susceptible to this exploit, though according to best practices should also not be exposed to the internet. The vulnerability has been observed to be leveraged by threat actors leveraging the Cl0p ransomware. Fortra released a patch for the vulnerability (GoAnyWhere MFT 7.1.2) on 8 February 2023 and subsequently provided an updated security advisory on 13 February 2023 with further mitigation and remediation advice. <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" style="text-decoration: underline;">https://www.cisa.gov/known-exploited-vulnerabilities-catalog</a> <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-0669" style="text-decoration: underline;">https://nvd.nist.gov/vuln/detail/CVE-2023-0669</a> <a href="https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis" style="text-decoration: underline;">https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis</a> <a href="https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft" style="text-decoration: underline;">https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft</a> <a href="https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html" style="text-decoration: underline;">https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html</a> <a href="https://github.com/rapid7/metasploit-framework/pull/17607" style="text-decoration: underline;">https://github.com/rapid7/metasploit-framework/pull/17607</a> <a href="https://infosec.exchange/@briankrebs/109795710941843934" style="text-decoration: underline;">https://infosec.exchange/@briankrebs/109795710941843934</a> <a href="https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1" style="text-decoration: underline;">https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1</a> <a href="https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/" style="text-decoration: underline;">https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/</a>
BLOG
Microsoft Patch Tuesday
Dark Lab • Mar 14, 2023
Microsoft has released patches for 77 vulnerabilities on 14 February 2023. A CVA will be drafted. The Patch Tuesday includes: 12 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 38 Remote Code Execution Vulnerabilities 8 Information Disclosure Vulnerabilities 10 Denial of Service Vulnerabilities 8 Spoofing Vulnerabilities The CVA will include the most critical vulnerabilities, as well as the 3 actively exploited vulnerabilities. Deploy latest patches <a href="https://msrc.microsoft.com/update-guide/vulnerability" style="text-decoration: underline;">https://msrc.microsoft.com/update-guide/vulnerability</a>
BLOG
FortiOS and FortiProxy Remote Code Execution Vulnerability (CVE-2023-25610)
Dark Lab • Mar 14, 2023
FortiOS / FortiProxy - Heap buffer underflow in administrative interface The vendor has released patches to remediate the vulnerability. Alternatively, the vendor also provided a set of temporary workarounds for FortiOS only: Workaround for FortiOS: Workaround 1: Disable HTTP/HTTPS administrative interface Workaround 2: Harden access control to administrative interface a) Limit IP addresses that can access the administrative interface b) Create an Address Group c) Create Local in Policy to restrict access only to the predefined group on the management interface d) [Optional] If using non-default ports, create appropriate service object for GUI administrative access We advise you refer to the vendor advisory for a more verbose set of instructions to implement Workaround 2. https://www.fortiguard.com/psirt/FG-IR-23-001 <a href="https://www.fortiguard.com/psirt/FG-IR-23-001" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-23-001</a>
BLOG
Campaign Persistently Exploiting Vulnerable SonicWall Devices
Dark Lab • Mar 14, 2023
On March 8 2023, researchers identified an ongoing campaign conducted by a suspected Chinese unknown threat actor leveraging a malware on vulnerable SonicWall Devices, including SonicWall Secure Mobile Access (SMA) appliances to maintain long-term persistence on the compromised environments. SonicWall released their latest update and patches on 1 March 2023. HKBN urges impacted organisations to apply the patches immediately, given the active exploitation. The following report is issued as it satisfies our criteria for the release of a critical vulnerability alert. SonicWall has released a patch mitigating the impacts of the OpenSSL vulnerability (CVE-2022-4304). The vendor recommends all users to upgrade to SonicWall SMA 10.2.1.7 by logging in to their MySonicWall portal or by following the guidance provided in their security advisory and additional resources. Further, if operating any outdated versions of SonicWall devices, we advise updating to the latest patch to avoid potential exploitation by the unknown actor. <a href="https://blog.sonicwall.com/en-us/2023/03/new-sma-release-updates-openssl-library-includes-key-security-features/" style="text-decoration: underline;">https://blog.sonicwall.com/en-us/2023/03/new-sma-release-updates-openssl-library-includes-key-security-features/</a> <a href="https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall" style="text-decoration: underline;">https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall</a>
BLOG
Campaign Persistently Exploiting Vulnerable SonicWall Devices
Dark Lab • Mar 14, 2023
On March 8 2023, researchers identified an ongoing campaign conducted by a suspected Chinese unknown threat actor leveraging a malware on vulnerable SonicWall Devices, including SonicWall Secure Mobile Access (SMA) appliances to maintain long-term persistence on the compromised environments. SonicWall released their latest update and patches on 1 March 2023. HKBN urges impacted organisations to apply the patches immediately, given the active exploitation. The following report is issued as it satisfies our criteria for the release of a critical vulnerability alert. SonicWall has released a patch mitigating the impacts of the OpenSSL vulnerability (CVE-2022-4304). The vendor recommends all users to upgrade to SonicWall SMA 10.2.1.7 by logging in to their MySonicWall portal or by following the guidance provided in their security advisory and additional resources. Further, if operating any outdated versions of SonicWall devices, we advise updating to the latest patch to avoid potential exploitation by the unknown actor. <a href="https://blog.sonicwall.com/en-us/2023/03/new-sma-release-updates-openssl-library-includes-key-security-features/" style="text-decoration: underline;">https://blog.sonicwall.com/en-us/2023/03/new-sma-release-updates-openssl-library-includes-key-security-features/</a> <a href="https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall" style="text-decoration: underline;">https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall</a>
BLOG
IBM Aspera Faspex Arbitrary Code Execution Vulnerability (CVE-2022-47986)
Dark Lab • Mar 14, 2023
CVE-2022-47986 is a critical vulnerability in IBM's Aspera Faspex 4.4.2 Patch Level 1 and earlier caused by a YAML deserialisation flaw, which could allow a remote attacker to execute arbitrary code on the compromised system by sending a specially crafted obsolete API call. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog on 21 February 2023. IBM advises users running vulnerable versions to apply the patch as soon as possible, as no further workarounds or mitigations are available. <a href="https://www.ibm.com/support/pages/node/6952319" style="text-decoration: underline;">https://www.ibm.com/support/pages/node/6952319</a> <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" style="text-decoration: underline;">https://www.cisa.gov/known-exploited-vulnerabilities-catalog</a> <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-47986" style="text-decoration: underline;">https://nvd.nist.gov/vuln/detail/CVE-2022-47986</a> <a href="https://www.ibm.com/support/pages/node/6952319" style="text-decoration: underline;">https://www.ibm.com/support/pages/node/6952319</a> <a href="https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ (PoC)" style="text-decoration: underline;">https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ (PoC)</a> <a href="https://github.com/ohnonoyesyes/CVE-2022-47986" style="text-decoration: underline;">https://github.com/ohnonoyesyes/CVE-2022-47986</a>
BLOG
Oracle E-Business Suite Unauthenticated RCE Vulnerability (CVE-2022-21587)
Dark Lab • Mar 14, 2023
A security researcher announced on 25 January 2023 that they have observed numerous CVE-2022-21587 exploitation attempts since 21 January 2023, shortly after the release of the PoC by Vietnamese security researchers. Given the vulnerability is low in complexity, and impacts a widely deployed business solution, we posit that malicious actors will continue to attempt to exploit the vulnerability to achieve initial access and execute RCE. It is advised that organisations running a vulnerable version of the Oracle E-Business Suite apply the latest patch released by the vendor as soon as possible. A temporary workaround is to update your firewall to block connections from the following URLs: • /OA_HTML/BneUploaderService • /OA_HTML/BneViewerXMLService • /OA_HTML/BneDownloadService • /OA_HTML/BneOfflineLOVService <a href="https://twitter.com/Shadowserver/status/1618258799575597064" style="text-decoration: underline;">https://twitter.com/Shadowserver/status/1618258799575597064</a> <a href="https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/amp/" style="text-decoration: underline;">https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/amp/</a> <a href="https://t.co/SGyT3abwB1" style="text-decoration: underline;">https://t.co/SGyT3abwB1</a> <a href="https://t.co/dlQekxZ4fD" style="text-decoration: underline;">https://t.co/dlQekxZ4fD</a>
BLOG
Fortinet Critical Remote Code Execution (RCE) Vulnerabilities (CVE-2022-39952 and CVE-2021-42756)
Dark Lab • Mar 14, 2023
An unauthenticated attacker can send specially crafted HTTP requests to the vulnerable FortiNAC webserver, Successful exploitation of CVE-2022-39952 would potentially allow an attacker to achieve remote code execution as the root user. Security researchers have validated the exploit and announced on 18 February 2023 that a blog post and PoC will be made publicly available. Based on recent incident experience and open source intelligence, PwC’s Dark Lab observe threat actors continuously weaponise critical vulnerabilities – particularly RCE vulnerabilities – within three days of PoCs being published. We posit that upon the PoC release of CVE-2022-39952, threat actors will attempt to exploit exposed FortiNAC servers. Update: on 23 February 2023 a PoC was released The vendor advises end users leveraging vulnerable versions of FortiNAC and FortiWeb to apply the latest patches as soon as possible to remediate the vulnerabilities. No further workarounds or mitigations have been disclosed. <a href="https://github.com/horizon3ai/CVE-2022-39952" style="text-decoration: underline;">https://github.com/horizon3ai/CVE-2022-39952</a> <a href="https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/fbclid=IwAR3QTxHQIBvPSDeghpqeXilneXNCCAcnABN3VLUuuU5H3If6uzFpK1I2Tiw&mibextid=Zxz2cZ" style="text-decoration: underline;">https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/fbclid=IwAR3QTxHQIBvPSDeghpqeXilneXNCCAcnABN3VLUuuU5H3If6uzFpK1I2Tiw&mibextid=Zxz2cZ</a> <a href="https://www.fortiguard.com/psirt/FG-IR-22-300" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-22-300</a> <a href="https://www.fortiguard.com/psirt/FG-IR-21-186" style="text-decoration: underline;">https://www.fortiguard.com/psirt/FG-IR-21-186</a>