Threat Research

FortiGuard Labs Weekly Threat Update – Week of 04 October 2019

By Jeannette Jarvis | October 07, 2019

Each week, FortiGuard Labs publishes a Threat Brief to subscribers that profiles notable hot topics and threats that were discovered or discussed during the week. Here is a recap of what we are covering in this week’s Threat Brief:

  • In this latest issue we look into a recently discovered critical vulnerability (FG-VD-19-117/CVE-2019-16920) affecting several EOL D-Link router models found by our FortiGuard researchers. This vulnerability could allow for remote code execution without authentication. This occurs when an attacker sends arbitrary input to the device's common gateway interface that could lead to command injection. Attackers know that many users treat routers as an afterthought (set it and forget it), and we have seen many attacks targeting these devices in the past. As these specific devices are no longer supported and still have a large viable footprint, they are perfect for attackers to leverage as part of a more sinister plan, turning them into botnets such as seen with Mirai, Satori, etc.

  • We also review a spike in the Winnti backdoor observed over the last couple of months. Winnti is a Remote Access Trojan (RAT) being used against Linux and Windows platforms. It is memory resident, meaning that the malware and its behaviors are hard to detect. Winnti uses various protocols to steal data, such as common ICMP and HTTP, as well as custom TCP/UDP protocols using benign handshakes, which makes it even stealthier. We have seen a spike in our telemetry related to Winnti from April to September, with an interesting lull in July. Winnti has a long, varied history. While it previously focused a lot of its attacks on the gaming industry to steal information, it most recently also began targeting the pharmaceutical industry.

  • This week’s report discusses a Quest Software KACE K1000 endpoint management system vulnerability that is very simple to exploit, potentially leading to a breach into managed endpoints and deploying malware implants. The issue relies on sanitized input for parameters that are user supplied and are then used to construct the file names to be handled by the system.

  • Additionally, we profile a new variant of the Purple Fox Trojan that utilizes new fileless techniques to evade detection. Purple Fox was made known last year when it was discovered as a payload delivered in the RIG Exploit Kit. Unlike its predecessor, which used NSIS, this new variant uses PowerShell, indicating the adoption of new fileless techniques.

  • OP5 Monitor is a solution based on the Nagios monitoring platform for real-time management, monitoring, and orchestration of IT resources. A CSRF flaw was discovered on the configuration page in OP5 version 7.1.9 and below, which could be abused to run arbitrary code as an unprivileged user. We have recorded a 30% increased telemetry for our signature detections of this issue in Canada and Japan.

You can find more details about these and other issues in the FortiGuard Labs Weekly Threat Intelligence Brief. Read this week's issue and subscribe to the weekly email distribution.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.