In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Malicious WordPress plug-ins infect sites with malware
Missing authentication in FortiManager
Techniques for jailbreaking LLMs]
CISA KEV updates
Malicious WordPress plug-ins infect sites with malware
During a recent campaign, thousands of WordPress sites were infected with malware. The campaign consisted of logging into WordPress sites with compromised admin credentials and then installing malicious plugins that distribute malware. The malware was disguised as a fake browser update known as ClickFix.
According to GoDaddy researchers, they have been monitoring the ClickFix malware campaign since August of 2023 and have observed over 25k compromised sites. The fake plugins typically use generic names like "Quick Cache Cleaner" or "Advanced User Manager." Accessing your WordPress sites admin portal is as simple as adding "/wp-admin" to the end of your domain and then supplying credentials. Ensuring these credentials are strong and that you have some sort of wp-admin access monitoring in place will help to cut the risk of compromise.
Source: GoDaddy
Missing authentication in FortiManager
Fortinet has posted a critical severity vulnerability in FortiManager fgfmd daemon this week. Exploitation of CVE-2024-47575 can lead to unauthorized code execution and the CVSS score for this vulnerability is a 9.8/10. The vulnerability is also on CISA's KEV list as reports have shown it to be activity exploited in the wild.
The observed impact so far as detailed by the FortiGuard PSIRT team as been the "exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices."
For a list of affected versions, potential work arounds and IoCs, please visit the linked source article.
Source: Fortiguard
Techniques for jailbreaking LLMs
Palo Alto's Unit42 released a report regarding the abuse of Large Language Models (LLMs) in order to bypass guardrails for generating unwanted material. The method involves embedding restricted topics with benign or safe material to confuse the LLM. For example, asking how to create a Molotov cocktail in the middle of a chocolate chip cookie recipe. The graphic below provided by Unit42 provides a general flow for this method of LLM abuse:
With the wide-spread adoption of LLMs across many sectors, securing this new obsession should be a top concern. The report really serves to reinforce the need for a multi-layered defense strategy to mitigate jailbreak risks through the application of robust security minded prompt engineering and content filters. Please also refer to the OWASP top ten for LLMs if you would like more info on current top threats to this technology (OWASP).
Source: Unit42
CISA KEV updates
CISA has added 5 CVE to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-9537 - ScienceLogic SL1 Unspecified Vulnerability - CVSS 9.8
CVE-2024-38094 - Microsoft SharePoint Deserialization Vulnerability - CVSS 7.2
CVE-2024-47575 - Fortinet FortiManager Missing Authentication Vulnerability - CVSS 9.8
CVE-2024-37383 - RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability - CVSS 6.1
CVE-2024-20481 - Cisco ASA and FTD Denial-of-Service Vulnerability - CVSS 5.8
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact