In this edition, we explore how the cybersecurity landscape is contending with a series of high-profile vulnerabilities impacting major platforms such as Fortinet, Cisco, and Mozilla—each posing significant risks to global network security. We’ll also examine how the Lazarus Group is exploiting a Chrome vulnerability to steal sensitive information and cryptocurrencies. Finally, we have positive news from law enforcement: Operation Magnus successfully disrupted the infrastructure of the RedLine and MetaStealer malware.
Top 3 vulnerabilities:- Fortinet reveals critical FortiManager flaw used in attacks
- Cisco urges immediate update for critical ASA and FTD vulnerabilities
- Critical Firefox vulnerability actively exploited
Attacks:
- Lazarus Group exploits Chrome flaw to hijack devices
Industry news:
- Operation Magnus - major cybercrime operations targeting personal data shut down
Top 3 vulnerabilities
1. Fortinet reveals critical FortiManager flaw used in attacks
Fortinet recently disclosed a critical security vulnerability in FortiManager, identified as CVE-2024-47575. With a severity rating of 9.8 on the CVSS scale, this flaw enables cybercriminals to bypass authentication and access sensitive files, including device configurations, IP addresses, and login credentials.
Exploitation details, attack evidence and impact
This vulnerability is actively exploited in zero-day attacks and has been promptly added to CISA's Known Exploited Vulnerabilities Catalog. However, to exploit the bug attackers first need a valid certificate from any Fortinet device, which allows them to establish a secure connection and interact with FortiManager remotely.
The reported attacks involved extracting files containing sensitive information which might allow attackers to target corporate networks or managed service provider clients. However, Fortinet has seen no evidence of malware or unauthorized changes in compromised devices. While Fortinet has not attributed these attacks to specific actors, the company is investigating the incident and monitoring for any further signs of exploitation.
Impacted versions and required updates
To remediate this vulnerability update FortiManager from version 7.6 to 7.6.1 or later, from version 7.4 to 7.4.5 or later, from version 7.2 to 7.2.8 or later, from version 7.0 to 7.0.13, from version, from version 6.4 to 6.4.15, from version 6.2 to 6.2.13.
Customers using FortiManager Cloud versions must also ensure they update to the latest patches.
In addition, in its advisory Fortinet reports that old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the ‘set fmg-status’ feature enabled (FortiManager on FortiAnalyzer) and at least one interface with fgfm service enabled are also impacted by this vulnerability.
Mitigation steps
Customers unable to apply updates might improve security by denying unknown devices to register, creating custom SSL certificates for authenticating devices with FortiManager, and limiting access only to an approved IP list for devices. For more details and comprehensive mitigation options, and information about Indicators of Compromise, refer to the Fortinets advisory. For additional details see the investigation from Mandiant.
2. Cisco urges immediate update for critical ASA and FTD vulnerabilities
Cisco has issued updates to address multiple vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, including one currently under active attack. Some of these vulnerabilities, rated as highly severe, could allow cybercriminals to disrupt services or gain unauthorized system access.
Vulnerability under active attack
The vulnerability which caused most concern, tracked as CVE-2024-20481, affects the Remote Access VPN (RAVPN) service in ASA and FTD devices. Rated with a CVSS score of 5.8, this flaw is caused by “resource exhaustion.” Attackers can exploit it via password spray attacks, where many login requests are sent, overwhelming the system and causing a Denial-of-Service (DoS) condition, which would make the VPN service unavailable.
Cisco has released patches for CVE-2024-20481 that are specified in the relevant BugID articles CSCwj45822 and CSCwj91570. Additionally, to counter such password spray attacks, administrators can refer to the recommendations provided by Cisco:
- Enable logging to monitor suspicious activity.
- Set up threat detection for the VPN.
- Strengthen defenses by limiting authentication requests and blocking unknown sources.
This vulnerability has already been used in attacks, often as part of larger brute-force campaigns aimed at VPNs, web applications, and SSH services as mentioned also by Cisco Talos earlier this year.
Additional critical vulnerabilities in Cisco devices
Cisco also fixed three other critical vulnerabilities, all with CVSS scores ranging from 9.3 to 9.9:
- CVE-2024-20412 (CVSS 9.3): Found in FTD Software, this flaw involves hard-coded passwords that could allow unauthorized access. A local attacker could exploit this to gain control of devices in the Firepower 1000, 2100, 3100, and 4200 Series.
- CVE-2024-20424 (CVSS 9.9): This issue impacts the web-based management interface in Secure Firewall Management Center (FMC). Due to insufficient input validation, an attacker could exploit it to execute commands on the underlying operating system.
- CVE-2024-20329 (CVSS 9.9): Located in the ASA’s SSH subsystem, this flaw could allow a remote attacker with credentials to execute commands on the device’s operating system.
Given the critical nature of these vulnerabilities, Cisco advises all users to apply updates immediately and implement Cisco's suggested security measures.
3. Critical Firefox vulnerability actively exploited
Mozilla users should update their Firefox browsers to protect against a severe security flaw actively exploited by cybercriminals. This vulnerability, identified as CVE-2024-9680 with a CVSS score of 9.8, is a "use-after-free" bug in Firefox’s Animation timeline component. The issue arises from improper memory management, allowing attackers to execute malicious code. In simpler terms, cybercriminals could take control of the browser—and potentially the entire computer—by exploiting this flaw.
Exploited in the wild
Mozilla has acknowledged that this vulnerability is being actively used in real-world attacks, although specific details about how it’s being exploited or who is behind the attacks have not been made public. Typically, such vulnerabilities could be exploited to run harmful code when a user visits a compromised or fake website.
Affected versions and updates
The flaw affects both the regular version of Firefox and the Extended Support Release (ESR). To be protected against potential attacks, update to Firefox 131.0.2, Firefox ESR 128.3.1 or Firefox ESR 115.16.1.
The Tor Browser, which is built on Firefox, has also been impacted. To address the same vulnerability in Tor, update to version 13.5.7.
Attacks
Lazarus Group exploits Chrome flaw to hijack devices
In other related browser security news, the Lazarus Group, a notorious North Korean hacking team, has been linked to a zero-day exploit targeting a security flaw in Google Chrome, enabling remote code execution and device control. This vulnerability, labeled CVE-2024-4947, is classified as a "type confusion" bug in Chrome’s V8 engine, which processes JavaScript and WebAssembly. With a critical CVSS rating of 9.8, this flaw was patched in May 2024 with the release of Chrome version 125.0.6422.60 and Microsoft Edge (Chromium-based) version 124.0.2478.109.
How the attack happened
The attack started in February 2024, targeting people involved in cryptocurrency. Victims were lured to a fake game website that looked legitimate and promoted an online tank game related to cryptocurrency investments. Once someone visited the site using Chrome, a hidden script launched an attack using the browser’s vulnerability. This allowed hackers to run harmful commands on the victim’s device and steal valuable information like cookies, authentication tokens, browsing history, and saved passwords.
According to Kaspersky, the website wasn’t just about downloading a game; it was carefully crafted to trick people that were contacted via ads on social media, spear-phishing emails, and direct messages via social media, posing as a blockchain company or a game developer. The attackers even created fake social media profiles and promoted the game using content generated by artificial intelligence. Their approach included reaching out directly to crypto industry influencers, making their scam appear more credible.
A quick look on the technical aspects
The CVE-2024-4947 vulnerability is dangerous because it lets attackers misuse the memory management process of Chrome, gaining access to sensitive parts of the browser. This, combined with another security issue that bypassed Chrome's protective measures, allowed attackers to read and write information they shouldn’t have had access to. Google has since fixed these issues, but the timeline of when attackers first discovered and used them remains unclear.
Once the browser was compromised, the hackers could run a “validator” script to gather details about the infected system. This step was likely used to determine if the device was valuable for further attacks. The exact malware deployed after this is still unknown.
Broader implications and theft
Lazarus Group has been linked to more than just browser exploits. In March 2024, a blockchain game called DeFiTankLand was hacked, resulting in $20,000 worth of cryptocurrency being stolen. Kaspersky believes Lazarus stole both the game’s source code and the money, then used this code to create the fake tank game to trick more victims.
Staying safe
This case highlights how sophisticated hackers have become, even using AI and social engineering to trick people. If you use Chrome, make sure it’s updated to the latest version to prevent such attacks. Socradar
Industry news
Operation Magnus: Major cybercrime operations targeting personal data shut down
In a major law enforcement operation, the Dutch National Police, along with international partners, successfully dismantled the infrastructure supporting two prominent cybercriminal tools, RedLine and MetaStealer. This coordinated effort, named Operation Magnus, occurred on October 28, 2024, with involvement from authorities in the U.S., U.K., Belgium, Portugal, and Australia.
The joint operation led to the shutdown of three servers in the Netherlands and the seizure of two web domains that were used to spread these information-stealing programs. It is estimated that over 1,200 servers around the world were involved in running these malware operations. The authorities also managed to take down multiple Telegram accounts that were used to promote these hacking tools.
Key arrests and charges
One of the main individuals charged is Maxim Rudometov, a developer and administrator for RedLine Stealer. The U.S. Department of Justice has charged him with several crimes, including fraud, conspiracy to hack computers, and money laundering. If convicted, he could face up to 35 years in prison.
How the malware worked
RedLine and MetaStealer are types of “information stealers” used by hackers to collect sensitive data like usernames, passwords, and IP addresses. This stolen data is often sold to other criminals, who may use it for further attacks, like ransomware. The malware was distributed as a “malware-as-a-service,” where other cybercriminals could rent or buy access to use these tools.
Impact of the takedown
This operation sends a strong message to cybercriminals who believed they were safe using platforms like Telegram. Authorities emphasized that the days of operating anonymously through such services are coming to an end, and they continue to investigate the clients of these malware tools. Justice.gov