Threat Research

Whitelist Me, Maybe? “Netbounce” Threat Actor Tries A Bold Approach To Evade Detection

By Rotem Kerner | March 11, 2021

FortiGuard Labs Threat Research Report

Affected Platforms:    Windows, Linux, MacOS
Impacted Users:        Any organization
Threat Severity:         Critical

On the 12th of February, FortiGuard Labs received a request via email from a person representing a company called Packity Networks asking to whitelist their software. The sender claimed it to be a false-positive that inflicts a significant impact on their business.

Figure 1: The email we received from Packity Networks alleged CTO.

At the time, the file at the link was classified as malicious only by Fortinet and Dr.Web sandbox.

Figure 2: Detections in VirusTotal for setup.exe at the time we received the email.

Even though, at first glance, the request seemed innocent, and almost no other security vendor had flagged the file, we always investigate such requests thoroughly before complying. Our investigation led to the discovery of a new group we called “Netbounce” and it exposed their malware delivery infrastructure. What made this stand out among others is their unique set of tools and techniques. We were able to find several variants developed in-house by this group, each serving a different purpose.

In this blog post, we’ll present the measures taken by the Netbounce group to make the campaign look as legitimate as possible, and the actions FortiGuard Labs took to discover the real intentions of this threat actor.

The Cover Story

Before starting to analyze the sample, the first thing to notice is that the link from the email (hxxps://packity.com/setup.exe) had no reference on the company’s website, including no visible hyperlinks, no mentions of the file or similar names, etc. Moreover, an “official” installer can be found via another URL on the site:  hxxps://www.packity.com/pub/desktop/Packity-latest.exe

As can be seen in the following table, these installers are entirely different.

File Name

setup.exe

packity-latest.exe

Programming Language

GO

NSIS installer, deploys NodeJS application

File Size

7MB

40MB

Behaviour

No user interaction

Installer with UI

Table 1: Key differences between the official installer and setup.exe from the link.

However, this alone is not a very solid indicator as there may be legitimate reasons for the discrepancy, such as the installed application downloading and using that setup.exe file later on. Also, the two executables didn’t exhibit any obvious malicious behavior, and both were validly signed with the same certificate issued to “Secured Network Stack”. 

But the background checks we conducted on Secured Network Stack and Packity Networks Inc. yielded no results; there were no registered companies or official reference to these entities, nor we could find any employee profiles online. However, based on a twitter account, Packity seems to have had some online presence besides their website for at least two years, and we found reviews for the software.

Figure 3: setup.exe digital signature information from VirusTotal.

Suspicious Code Signature

Even though the executables were signed with the same certificate, we noticed that the certificate was issued with an unrelated email address, session123@me.com. The certificate was issued on September 2nd 2020, so we searched for older certificates used by Packity and found an older installer. Comparing the older signature confirmed that the contact information is indeed unrelated to the company.

Figure 4: Signature information of the old installer (left) and current (new) Secured Network Stack signatures used to sign the executables.

The “@me.com” domain only belongs to Apple mail accounts created before September 19th, 2012, as can be seen on the Apple support website:

Figure 5: Apple support site addressing the @me.com email domain.

Although it may seem odd that a different email was used, the new certificate was issued exactly when the previous certificate expired, on September 3rd 2020, which may hint it’s not malicious.

A keen reader may also have noticed that the signature with the new certificate doesn’t have a timestamp countersignature. This is highly uncommon when signing code, and the “official” setup file from the website does have a timestamp. Because of this, our suspicions were still not resolved.

Diving into the Binary

As mentioned earlier, executing setup.exe did not provide any clear-cut malicious indicators. However, we did observe the following actions:

  1. Copied itself to “C:\Windows\Net Helper\net-helper.exe”.
  2. Created a service called “Net Helper” with the copied file.
  3. Started the service and exited the process.
  4. The new service process then attempted to connect to hxxps://update.netbounce.net/check every 5 minutes.

This behavior is abnormal for an installer, since a) no user interaction occurs, b) new folders are normally not created in C:\Windows and c) no actual files of the program are unpacked and the installer just copies itself.

Looking at the code, we could see it is written in the Go programming language and has a function named equinoxUpdate. According to its website, Equinox “helps you build, package and distribute self-updating Go apps to your customers” offers paid hosting plans, and provides an open-source client SDK

Figure 6: Equinox documentation.

In fact, aside from setting persistency, most of the functionality of the executable is basically the Equinox client using a hardcoded AppId “test”. There were no other references to the equinox namespace, meaning it was used with source code and not just as an imported package, so we checked for any changes made to it. And we found that in addition to the updated URL listed above, the HTTP User-Agent header was set to “Netbounce/1.0”.

Changing the URL effectively means the public Equinox servers won’t be used but that by using the same protocol the update mechanism might still appear legitimate.

At the time of our analysis, the update mechanism did not download anything. However, it's possible the threat actor simply reserved the option to use it and deliver malicious payloads in the future.

Quick Recap

At this stage, we hit a roadblock. There were many weird looking indicators: sketchy company, executables which lack references on the company’s website, digital signatures with shady attributes, and an application without any substantial functionality. But as suspicious as it appeared to be, we didn’t have any concrete proof it was indeed malicious. At this point, we decided to try to find other files that were signed using the same certificate, hoping to get a new lead.

Revealing the Real Story

We were able to track down additional samples that shared similar properties to the one we received in the email. Among them, we identified samples compiled for Linux and MacOS, as well as actual malicious capabilities.

A sample found in the wild under the name “Net Helper GUI.exe” was nearly identical in all properties:

  • File size: 7MB
  • Programming language: Go
  • Execution path: %windir%\Net Helper\ net-helper.exe 
  • First seen: 2/14/2021

Bindiffing the executable confirmed that both samples have the same author; moreover, it revealed that it has additional functionality:

  • Exact function matches: 5074.
  • Partial function matches: 29.
  • Net Helper GUI.exe only functions: 164 (new functionality).
  • Setup.exe only functions: 34 (none contain real functionality).

Analyzing the differences, we observed that the function main_run has additional code on the branch that runs when the service has not yet been installed. Prior to installing the service, the function “main_setupNetUpdater'' is called to download and execute a next-stage payload via an HTTP GET request to boostfever.com. With the URL path and domain are hardcoded, the subdomain is either:   

  1. A randomly generated UUID - hxxp://0857a813-72ca-4a70-883a-3b555f6bf3c1.boostfever.com/progwrapper.exe
  2. The hardcoded “cdn” string - hxxp://cdn.boostfever.com/progwrapper.exe

We’ll elaborate on progwrapper.exe in a later section.

Figure 7: Graph view of main_run with the added basic blocks (highlighted).

Before running the payload, it is also made persistent on the machine via Registry for each time the current user logs on with a new session: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net-helper.

We found such downloaders were contained inside archives and MSI installers. Placing this functionality right after verifying that the service isn’t installed makes sense with this possible infection vector as that’s the case when the sample executes on the system for the very first time.

The Equinox client was used as an imported package, so the namespace is found intact, along with the default URL (https://update.equinox.io/check) and User-Agent (EquinoxSDK/1.0). A hardcoded AppId (app_6EE4wBvjBhS) was used across all the samples we detected. After the 5 minutes timer elapses in the service, an update is pulled from the Equinox servers.

The updated file is another variant of “Net Helper”. It has the modified Equinox client, like in setup.exe, but the AppId is generated using the machine’s serial number. We will refer to these samples as post-update variants.

Reverse Proxy

Another functionality incorporated in various samples, pre and post update, is reverse proxy, which effectively grants its operator a foothold inside compromised networks while bypassing perimeter firewall policies. Potentially, its purpose may also be to use infected machines as hop points when conducting operations against targets in other organizations.

This capability was implemented using the open-source Tunnel package. When the service runs, an HTTP GET request is sent to an external server, for instance, hxxp://connect.netbounce.net/manage.json, to obtain the address of the proxy server for inbound communication. Once the sample connects to the specified server, the operator can start proxying HTTP/TCP connections through the compromised machine.

The name of the package in the compiled binaries is “netbounce” or “proxy”. Off the shelf, the package supports redirecting traffic only on the local host; in our case, the victim’s machine. The malware authors changed the code to allow them to connect to other machines, per specification.

Figure 8: The disassembly of TCPProxy.Proxy function against the original source code.

MacOS and Linux Variants

Using the Go programming language allows the threat actor to easily extend their operations to MacOS and Linux, as it is simple to compile the source code to a different operating system.

For MacOS, we found an application package with a post-install script that downloads a pre-update variant with the same hardcoded Equinox AppId (app_6EE4wBvjBhS). It also includes the reverse proxy functionality with the same management URL (hxxp://connect.netbounce.net/manage.json).

Figure 9: The post install script included in the package.

For post-update samples we observed, there were no additional updates pulled from the netbounce.net domain. Leveraging the fact that the Equinox client was used to communicate with this server, we figured out the URLs that serve files in response to valid update requests. Through that, we issued requests on our own and were able to obtain an ELF sample we classified as a post-update variant.

Program Wrapper

Circling back to the progwrapper.exe executable, we identified it was also developed in Go. It sends an HTTP GET request to a hardcoded URL (hxxp://cdn.boostfever.com/ex.json), which returned the following JSON object in response:

Figure 10: ex.json from the response.

Depending on the “type” field, it checks if a file or a registry key does not exist in the provided path and proceeds to download and execute the file from the “download_url”. The function main_downloadAnotherExecutable also exists in “Net Helper GUI.exe”. The code is shared and has just one small difference that is not related to the functionality itself.

In this case, output40.exe is the final payload. It's packed with a multistage packer. Following unpacking, we discovered different stealers being delivered from this infrastructure, such as Vidar and FickerStealer. We observed different variants of the packer, and so we estimate it is a part of this delivery infrastructure as well. After unpacking, the payload is executed in memory using reflective loading or Process Hollowing.

It is interesting to note that FickerStealer’s first action is to create the file “Trackingfolder084\start.txt”. The string is hardcoded in the binary, which hints at an intimate relationship between it and the Netbounce infrastructure.

A newer version of progwrapper.exe added a basic remote command execution capability, which can be used instead of the download and execute. This variant also uses a different hardcoded domain, t1.xofinity.com, over HTTPS, and the responses are encrypted with the AES algorithm. Oddly enough, the HTTP User-Agent header is set to “Netbounce/1.0”.

Connecting the Dots

Netbounce” is used as a domain name, as a User-Agent, and for custom packages in the source code. Its possible source code is shared by different actors; however, overlaps in the network infrastructure makes it possible to cluster all the activity together to one entity.

WHOIS records for installcdn-aws.comboostfever.comjumpernode.com, and uptime66.com show they were all registered by the same entity.

They have the same active subdomains, like cdndownloadupdate, and proxy. Other subdomains have a similar pattern, where they are formatted as “<single char>1”: c1.boostfever.comu1.boostfever.comt1.xofinity.comm1.uptime66.com.

All IPs for the domains resolve to the same subnet - 195.181.160.0/20. Some servers are also hosted by different domains:

  • 195.181.169.92: dl.installcdn-aws.comu1.boostfever.comt1.xofinity.com.
  • 195.181.164.195: cdn.boostfever.comcdn.netbounce.netproxy.netbounce.netconnect.netbounce.netproxy.jumpernode.comconnect.jumpernode.com.

Looking at passive DNS records, we get some idea for the progression of the campaign over the few last weeks. The following table shows the resolution history of domains that pointed to 195.181.164.212, providing another indication that all the domains are operated by the same entity.

Date resolved

Domain name

2021-02-23

m1.uptime66.com

2021-02-16

xofinity.com

2021-02-15

p1.boostfever.com

Table 2: DNS resolution history to 195.181.164.212.

We generated a heat map of infections across the world using FortiGuard threat intelligence data: 

Figure 11: Heat map of infected victims by country.

Summary

This new campaign was detected almost immediately after it started, even though the threat actor took a lot of measures to appear as legitimate as possible to evade detection:

  • Used a real, even though shady, company to masquerade the activity.
  • Used valid certificates that looked very similar to the original certificates used by the company.
  • Employed a legitimate update service, Equinox, as part of the infection chain.

The threat actor was convinced that the cover was good enough to send us an email pointing us directly to their executable in an attempt to trick us to whitelist it.

The initial sample we got is only one part of a rather elaborate, multistage infection mechanism that can be activated at any point in time, with the final payload customized according to the attacker’s discretion.

Figure 12: The infection chain stages.

The rich and versatile open-source ecosystem of the Go programming language, along with its cross-platform support, surely cut down heavily on the threat actor’s work time and costs.

After we proved this is a part of a malicious campaign, we kept digging and found many additional related samples, and some of the samples were signed with certificates issued to other shady companies.

We’ll dive into technical details of FickerStealer in a follow up blog.

Fortinet Protections

FortiEDR

FortiEDR detects and blocks payloads delivery from this infrastructure out-of-the-box without any prior knowledge or special configuration. It uses both its AI-based AV and post-execution prevention engines, as can be seen in Figure 12:

Figure 13: FortiEDR blocks the payload actions post-execution.

FortiGuard Web Filtering 

FortiGuard’s Web Filtering blocks all known domains and URLs (listed in Appendix B), and all malware samples listed are detected as:

W64/NetBounce!tr

In addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other Alliance members to help create better protections for customers.

Appendix A: MITRE ATT&CK Techniques

ID

Description

T1553.002

Subvert Trust Controls: Code Signing

T1543.003

Create or Modify System Process: Windows Service

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1071.001

Application Layer Protocol: Web Protocols

T1573.001

Encrypted Channel: Symmetric Cryptography

T1573.002

Encrypted Channel: Asymmetric Cryptography

T1090

Proxy

T1027.002

Obfuscated Files or Information: Software Packing

T1055.012

Process Injection: Process Hollowing

 

Appendix B: IOCs

File Names

outtput213.exe
output40.exe
progwrapper.exe
pwrap.exe

File Paths

C:\Windows\Net Helper\net-helper.exe

Registry

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net-helper

Domains

netbounce.net
cdn.netbounce.net
bin.netbounce.net
connect.netbounce.net
update.netbounce.net
proxy.netbounce.net
newurl.netbounce.net
file.netbounce.net

boostfever.com
cdn.boostfever.com
c1.boostfever.com
u1.boostfever.com

installcdn-aws.com
dl.installcdn-aws.com

jumpernode.com
connect.jumpernode.com
notif.jumpernode.com
download.jumpernode.com
proxy.jumpernode.com

uptime66.com
m1.uptime66.com

xofinity.com
t1.xofinity.com

uploadhub.io

Payload hosting domains:
applemart.biz
demian.biz

IPs

195.181.169.92
195.181.164.195
195.181.169.68
185.59.222.228

URLs

hxxps://packity.com/setup.exe
hxxp://<UUID>.boostfever.com/progwrapper.exe
hxxp://cdn.boostfever.com/progwrapper.exe
hxxps://uploadhub.io/manager-macos
hxxp://connect.netbounce.net/manage.json
hxxp://cdn.boostfever.com/ex.json
hxxp://newurl.netbounce.net/ex.json
hxxps://update.netbounce.net/check
hxxp://file.netbounce.net/p3wrapper.exe
hxxp://download.netbounce.net/p3wrapper.exe
hxxp://proxy.netbounce.net/launch.json
hxxp://notif.jumpernode.com/launch.json
hxp://download.jumpernode.com/p3.exe
hxp://proxy.jumpernode.com/launch.json
hxp://proxy.jumpernode.com/ex.json
hxxp://u1.boostfever.com/check
hxxp://dl.installcdn-aws.com/pwrap.exe
hxxps://m1.uptime66.com/fetch.json

Certificate Thumbprints

ed165d2ab91538a8fb399fa543151b7767f471c3
9083948fd75b63d15229b413546332adfe5507b4
bcc2a3f7c9d57807895104b0d40e869407c98b6b

File Hashes (SHA256)

6733a81c321b5dedc6dc33d3e4dcf82ec15caef172dab86954e1a664c5ad0973
9034f7dd8d9ad1c49372412bf33d48d725087c52504ac8512c9d1d31816a3607
1762738638ce472f7fed23003bec41d6c1debc414dca966439f853a8cee7119d
66ba544e9493621b9594e3d4604c47ef4244c22c80e60c28f0bdfa8025f94d3f
b71038f63ab7f2ca5e2c80b7f0a5977b31cf6406b29dc28ab7f0ec118d98ba8c
cb2c56f85623d64f4bc788d77b1163bb0b8bfbd6d451dc976d390f7e7cd0f279
e0954bf1de9f4afc60357d49c5e973a8d0dde1f84b65bd2930296004fa762188
fddcdcdc2802454ed3641efdb9d86f334c61b52d90533c96f2b46302c28580a3
b913ab61afd82fb6560f51beecf339b43aa7d310de3a572efa18d7ee256c92da
fe96c4e912886584598ffd7ba5cf933776b6c53bbee572ed7c4bed81856bd7eb
988b991f3b33da069b112e743520fe986be9bf16cd8d442339582844f56c053e
e03258d7c29798610cdf9eb3a7cd0a0337ee83a936a31157cfddca9d13d725cc
a183d902ba43f10f2edb7c3153393665261b201dc3fb7cb8a94d58780eac5500
0298de2853407a54bcbf264234bd562321c2fdde155567f587504bd62b077fe0
8424b4c0dd16de41e0f0c92ca4ddbd192eab225cc09544c7315f40f1ba76710b
85b916180f6bc0cb63b4113b1684dcae53408198615b3d24412d669de90aafbd
12749b43d88a34c3a43c3fc60e29a678f6e220556a52be80993eec5d944eeb87
31227a18b873cf14689b1e82b4f6d8c2e8ba59d1943fe94fd28cde7b29a335d2
c5654ff65d13c67e7d2499f5d67480caae65d29a8e08cda71367a1707ae6021b
9587f5de22437d2f61385d98d289a73b4de2264c3a6030b7fd47a01b6963e14c
dfa8f3e9a34d8f9f783c8f3d7de918f026605b304840abf856767b45396f1440
3d8f6d3315ce87f0278879b0eb67de9d5da636f2e3da1f49567575f1f2f150f4
d38ec57079e8f913d4493bc88c82efb08afb79c245c4637ac4a6e07ed351c060
2d72a008bfdfcd3284f926348cebb7a459872174c645029b87b5b868ff89f6c0
b6d6ddbc9119380be5945175eb218c4dd6994bb6ca25eaec7024bbf354d33011
7d06bfc310ad39d79898c6b2949ab3e747fe282ba1c35e6ec8e6c5962f10c3da
80aeb6af074c151efa0e32693b1e3cf8ea2d700e29a1c39d371fdf0cf3f101da
51326a0c585532f8ad872a195bb90f06161660026cddc6ef84b4c07ff9b281cd
1e57676cf5946502ef27d7c08bc9afcf8f4fb058a722bde849250def9d1d42a6
90954e568e8645e68a5c56a38d817e553c2e256f9f692ca008578f6d77e5bfef
2147356098721f8003a1f94c08fb8cbaa754059b5019960cd47c354f5accc412
6750224a37e7ed287f75be8cc741ff99081b35f77d72a759f67f9561897967d
22403f3f045ca8c29b1bb7f9d0ca195d2c15f3d0d70e990607ccbc65f070bfef
89ebcd8aed0574684e320ad14cbd4b59a5423c4db28786993bb37431a30aea27
2f26dc5c71df628cedc4dbf60fa1d3d695ecb60f0b38572850974ea4ee081b80
d54f390ecc9dc73a4ab2aad6af0e36eb8bac68f8168079b9956366c929903912
ea03ef2fb38f6677c41949b3ab45c973457ceef2a1cc090ad250045b120e2b9c
72225670febdbb21262d6f54f93d518843dc51363a827bf256377c2354a08b7e
62a7e6b1cf4d4af7430f62c8859e26ccf2446d92cc7caf2cd86fcc8a731d413a
5771123bf3eb4560f53a072b6011ac990f584e99928366be7a98b47e310b642a
da2a50653bdbbb6871dd4790ea95bda4c183b1cf05aba8fa0f3205602ac7d65b
e570c83c7b852cbd0fad6e0a72017f4a93e5e0c0db3d076950341bc6dcaabd40
6194f7f3c0f9ff9789975b6aaaa5d252c06a88b9ac5d5a69e907c939fb33eba0
77a0bd4fb38fac1f0cb280983a87697dbbaa1268f9c4c59b3f714cbd2d23f184
b3402c8b86dbd9a2349b6486abe0f3502bf7450ea8180feb924a0785a7a0e203
d473fbe34df054354f56d1edfa99fb8bfe6e1e41b2f7dcbce9bada48cafb3b24
6f0c77ecdce1b8dad35b073454f01f39ea7e160f7f1439ac9287bc157b6f37a2
77ca624ebce09dc6a480f91e7cf1d69a2dde43e7cd5603fd8f058cf239a011fe
8b5bf607ad7cb81fb799acecf6bd503585d59eced3d84b853ba0a1a7d98200b2
f9d2a6933f0ca86321d2c857d537eeb623d9081fe6d883bc44d09e96b57def56
a6d9ab9ae6e659fc124ecb6f18e746a0327339784bb14ea401c664b9dc38b693
f6466773c7d24c2609504622e1f2acfb6a912a6aff7a97f7aa82760cf9b62b09
ea5a7051b52fa0e6a91f88ae3c1dac6a1e77c1a849a9835ebcb432bdacd475ef
1abb54ae68d00a146f2775dd54a6249d344fb4032459f7637bc04dbbed0789b9
5fbe8928becdabcbb98dd08502b7d50f85313cc7dc463c4b98d88ce33882db07
a0f1050ae5f427dc6e3911f4091b9e8463d3ca780ff322841f5a61972dc03e01
3dffef8bcccfe4b87133cb55475bd756e6ef26697128d250f3f3d9f6d23e8cc1
3aa52ee7f7183009188dedb4d1a8913a297d78a0735d70756813ce93bfcbbb90
9f1bbfa89ebfca776751f86bd6ef9999ddb6fc9382b904a4f871682457485ad4
a217fddc29ea3011b344b271070ef945686ed2ad9a1fbddde8a7580145fac52d
a6ffa5eb6194c9cb47d128276b46c937abf99e3e5093490eaa8ca735fec40d36
b9b53b6c25008e99fbbc42b17c2659ca5d94c5d1564394a21cc18f0f7739dab5
738c287cabbf34311100d79d495243cf5ac9953d6127429c326b2b4f95543bdf
4f05cea5b58a5584ee1bfa5edc2782b90a94980d0ac6e6095aff7b8d5eeb08a0
2692907ef6069b08b160b3c5ff96cde9befe967f4738739743585d2bec522aeb
19436558180291e8efe93a8d80650a088514a383d91c2349d23a669295e68a73
4dfcb42d7d9175767c6b1bf7815b16c0b5fb19abc74f5c679aad6a18b45c7272
c7276383b758459ab66e65eea4cbbfd08c1bc11788c041aad7f262e43a7831cf
88e95d786946f5c40d2647745e228397ef913abd725d6772f57e5e614ab06aeb
b8883a545b304e514cbabfc798ecd1fef7e6183fef5f302cb87f3ecbd95138be
47b2e429d6ba71db0bc6d9eb88f424c2b56a7617edcd0c9c55f2700958ede705
89e71c1e3c5a8d4296dfad8ddf988ccb249c774897d30ba8ee2f81d9b3a407e3
928eab32cbf6792d33cf4ff4e27979e97ccc2db7169b9ccc712e950d99fa8a20
0859161ae696e7cfd8b27e65486225a80807b5de96f1c6bc1e7060d66efc778b
28625fad27118be2fabc898d82deff88bd47d547ecaeb183af0b2f34c8c517ae
342695cfc7250cf7df7ff24347ecb0ca1032a6c8e3274ad2777b652589b7ec79
bd4cdc7832ed1e4132978072af5d1ea46541bb89bcdc8d3153ff82dd0525c9c6
3d3d4cbe87d8a3f39970211626a71a23a966bc01d9bdb02cef45eeb7e79fa2d8
c3f3623af38306139f2ce4b223ab927f25673fb47f9a464b4df90cc1bdf5def8
98ed42b0a59297ba96f2333d06664a531ed9c17a79de855f037fa1e3900b40d7
d39bf5430c25f74f110514e5b06b62623e0d2bde7edc700098fe930d09144c3d
743d808788076e551695512fd8fbc9515513fa99aa966bf310063bcb35bc439d
820131766d56d33c58937bd339cc5de48a36bd994b10dcf4052a9dbcd5e55aab
7f9baee2d74b8bb2f3046fef0caa4bf6ef595c4993e004901ba543ed60ebfc80
b0441ddcb5c5c2c06b879fd73afeaa4b0861b5c404e144cac5ec902c2cf38f6a
d74a306e0eb4a7dcfd43305b1d964c383afd0bfec9ded1829ce9ac5c32a27cfa
47d6782fbb1d67e16384bee8dfbc2789c5338ee7100ca04196dd7eb13d9987dd
1d83513ad0006007ba03163befded12d496858e99cf7ada0c7a2700c4edc67af
c36c66968754a87ed98a717f77521c41a32458cd29348a289461ae96570b431a
c412a306c940bba66211e87e32b7af572240188804054e3d38abd12cb9cbb112
66beab1abc5bd6c491fea835f9f4c938973a2570eeda58e9171b0b47b329c5b2
492ae093bc1c776dde5d3e18f679a7b0e662511332ae6fae570a349c1396b681
8557c08c2da5d075e454a46b1ae6f3cad8982b0712889e80a57f6dd8aa6f8099
068a61c5c6589b7b582d21aecee7811dae197f3f946936ec5df54fd405dec20d
810d7c7212a984b614b360e692b48da631ebeb4ecc63d7ac6243c074fcd436b1
f1aed4864eeae160661e9a2fdb5b94b7584722f08cb640b9e8280d9700f3601
f45c7d3aa1eaf5b550698007165e8fd077769b859fce4f7161f0051b382125d5

 

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.  

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training programSecurity Academy program, and Veterans program.