Threat Actor Leaks 440GB of Data in Fortinet Breach

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include a crypto-mining campaign to exploit Oracle WebLogic on Linux servers via a new malware strain, the cybersecurity company Fortinet suffering from a data breach, a cryptojacking attack that weaponizes CentOS severs, exploitation of a Windows MSHTML spoofing flaw to distribute info-stealer software and Microsoft’s September 2024 Patch that addressed 79 security vulnerabilities. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Fortinet Breach: Threat Actor ‘Fortibitch’ Leaks 440GB of Data from SharePoint

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments, specifically exploiting Oracle WebLogic servers. The malware strain, named “Hadooken,” is used for illicit cryptocurrency mining and deploying a DDoS botnet known as “Tsunami.” The attackers exploit vulnerabilities and weak configurations in WebLogic servers, such as weak credentials and exposed admin consoles, to gain access. Once inside, they execute code to install the Hadooken malware, retrieving it via Python or shell script payloads from remote servers.

Hadooken uses SSH credentials for lateral movement across networks, spreading itself further. The malware’s components include a cryptocurrency miner and the Tsunami botnet. To persist, it creates cron jobs to keep the miner running regularly. Hadooken employs evasion techniques like Base64 encoding and disguising malicious processes to avoid detection.

This campaign is linked to infrastructure previously used by the “8220 Gang” and exploits enterprise vulnerabilities, such as those in Apache Log4j and Atlassian Confluence.

Key recommendations include regularly patching vulnerabilities in WebLogic servers, strengthening access controls with strong credentials and multi-factor authentication, and auditing server configurations to close misconfigurations and limit access to sensitive areas like SSH directories.

2. Fortinet Breach: Threat Actor “Fortibitch” Leaks 440GB of Data from SharePoint Repository

Fortinet has confirmed a data breach in which 440GB of data was stolen from its Microsoft SharePoint server. The breach, attributed to a hacker named “Fortibitch,” impacted less than 0.3% of Fortinet’s customer base. No encryption, ransomware, or corporate network access was involved in the breach, which stemmed from unauthorized access to a third-party cloud file drive.

The compromised data is tied to Fortinet’s acquisitions of Next DLP and Lacework, covering employee resources, financials, HR, product information, and customer details. The hacker attempted to extort Fortinet but leaked the data after negotiations failed. Although sensitive, the data does not appear to have been sold. Fortinet has communicated with affected customers and confirmed that its corporate network remains uncompromised.

Fortibitch has potential links to the Ukrainian hacking group DC8044, but no direct connections have been confirmed.

Key recommendations include enforcing strict access control policies for sensitive data, regularly reviewing user permissions, and encrypting data at rest and in transit. Additionally, implementing multi-factor authentication (MFA) and conducting regular security audits are critical to preventing unauthorized access and future breaches.

3. TeamTNT’s Latest Cryptojacking Attack Weaponizes CentOS Servers with Stealthy Rootkit

Researchers have identified a new cryptojacking campaign, likely linked to the TeamTNT group, targeting Virtual Private Server (VPS) systems running CentOS. The attackers gained access via brute force attacks on Secure Shell (SSH) credentials, deploying a malicious script to disable security features and maintain control over compromised systems.

The script disables SELinux, AppArmor, and firewalls, deletes logs, and removes competing cryptocurrency miners. It installs the Diamorphine rootkit, which hides malicious processes and grants attackers persistent, stealthy access. The script also disables cloud-specific security tools like Alibaba Cloud’s daemon and sets up cron jobs to re-download the malware every 30 minutes. It modifies SSH configurations to grant attackers backdoor access and ensures system lockdown by making files immutable. The campaign’s advanced capabilities allow it to evade detection while maintaining control through a remote command and control (C2) server.

Key recommendations include using strong SSH credentials, enabling two-factor authentication (2FA), and disabling remote root login. Additionally, implement rootkit detection tools, monitor cron jobs and cloud security tools, and use file integrity monitoring to detect unauthorized changes and prevent malicious modifications. Regular scans for unauthorized scripts are essential to protect against cryptojacking operations.

4. Exploitation of CVE-2024-43461 by Void Banshee APT Group to Spread Info-Stealing Malware

The Void Banshee APT group exploited the CVE-2024-43461 vulnerability to distribute the Atlantida info-stealer before Microsoft patched it in September 2024. This Windows MSHTML spoofing flaw allowed attackers to hide HTA file extensions using braille whitespace characters, making malicious files appear as legitimate PDFs. The attackers used the vulnerability in combination with another zero-day (CVE-2024-38112) to trick users into opening these disguised files, leading to credential and sensitive data theft.

Void Banshee targeted organizations across North America, Europe, and Southeast Asia, using this flaw to steal passwords, authentication cookies, and cryptocurrency wallets. While Microsoft has patched both CVE-2024-43461 and CVE-2024-38112, the continued use of whitespace characters in filenames still poses a risk, as users may mistake malicious files for harmless PDFs.

Key recommendations include applying the latest Windows security patches, implementing email filtering to block suspicious attachments (especially HTA and LNK files), and educating users about scrutinizing file extensions. Additionally, use advanced endpoint protection tools and enable strict browsing and application controls to detect and mitigate malicious activity, particularly from outdated browsers like Internet Explorer.

5. Exploitation of CVE-2024-43461 by Void Banshee APT Group to Spread Malware

Microsoft’s September 2024 Patch Tuesday release addressed 79 security vulnerabilities, including three actively exploited zero-days and one publicly disclosed zero-day. The update also fixed seven critical issues involving remote code execution and privilege escalation.

The vulnerabilities fall into the following categories: 30 elevation of privilege, 4 security feature bypass, 23 remote code execution, 11 information disclosure, 8 denial of service, and 3 spoofing vulnerabilities.

Zero-day vulnerabilities fixed:

  1. CVE-2024-38014 – Windows Installer Elevation of Privilege: Allows attackers to gain SYSTEM privileges on Windows systems.
  2. CVE-2024-38217 – Mark of the Web (MOTW) Security Bypass: Exploits LNK files to bypass security warnings.
  3. CVE-2024-38226 – Microsoft Publisher Security Feature Bypass: Bypasses Office macro policies blocking untrusted files.
  4. CVE-2024-43491 – Windows Update Remote Code Execution: Reintroduces older vulnerabilities in Windows 10 version 1507 and related versions.

Microsoft clarified that CVE-2024-43491 reintroduced previously patched vulnerabilities in components like Active Directory and Internet Explorer 11, though there is no evidence it was exploited externally before internal discovery.

Recommendations to mitigate these vulnerabilities include promptly apply all security patches. For CVE-2024-43491, install both the September 2024 Servicing Stack Update (KB5043936) and the Windows security update (KB5043083) in sequence to resolve the issue.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider