Skip to content Skip to navigation Skip to footer

FortiGuard Threat and Incident Notifications

Boots on the ground insight into real-world cyber campaigns

Fale conosco

News on Trending Threats and Incidents

While high-profile cyber campaigns periodically capture global attention and news cycles, there is a steady stream of trending threats and incidents that impact individual organizations on a daily basis.

These are situations routinely encountered by our FortiGuard Responder Services team that enables organizations to conduct 24x7 continuous cyber threat monitoring, analysis, and alert triage, as well as incident response and forensic investigation. Here we provide insight into recent threat actor tactics and corresponding techniques from our seasoned experts as well as through the lens of our powerful FortiEDR endpoint detection and response investigation tool.

There are two types of resources:

FortiGuard Responder Knowledge Base (KB) Articles

Quick analysis on trending threats and or zero day campaigns. KB articles contain:

  • Threat description
  • Insight into tactics and techniques, as identified by FortiEDR
  • Specific threat hunting queries to use to search your environment
  • Mapping to MITRE ATT&CK TTPs
FortiGuard Responder Incident Analysis (IA)

Deeper analysis on incidents observed in live production environments. The IA contains:

  • Affected platforms, threat type, impacted users, impact, severity
  • Threat overview with Cyber Kill Chain analysis
  • In-depth analysis of threat tactics and techniques
  • Specific threat-hunting queries
  • Mitre ATT&CK TTPs observed along with available mitigations and Fortinet Security Fabric controls

Latest FortiGuard Responder Notifications

November 2021
Hive Ransomware

New ProxyShell Post Exploitation Activity

Affected Platformse: Windows Endpoints, Vulnerable Microsoft Exchange Servers
Threat Type: Cryptomining
Impacted Users: Windows users
Impact: Cryptocurrency mining by taking advantage of the compromised system resources
Severity: Medium

The ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) have been aggressively targeted across the globe since late August 2021 with vulnerable servers often being compromised by multiple actors simultaneously. This article takes a deep dive into some unique TTPs employed by one of these actors as part of an investigated incident

October 2021
Malware

Mitigating Unknown .NET Malware KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Cryptojacking

The use of .NET malware by adversaries continues to grow and with it the need to be able to detect, analyse and mitigate behaviour associated with such threats. This article examines a new set of .NET malware variants observed by the FortiGuard Responder team in the wild used for lateral movement and persistence as a precursor to deployment of cryptoming software.

September 2021
Hive Ransomware

Hive Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

A new threat group named Hive that deploys a ransomware variant of the same name have begun to ramp-up operations around the globe. Notable recent intrusions in North America have propelled this group into the sights of the cybersecurity community.

September 2021

MSHTML Vulnerability – CVE-2021-40444

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Code Execution

Microsoft has released a patch, mitigations, and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in MSHTML that affects Microsoft Windows. Exploitation of this vulnerability allows a remote attacker to take control of an affected system by using specially-crafted Microsoft Office documents. This vulnerability has been detected in exploits in the wild.

September 2021

LockBit Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

LockBit 2.0 is a new LockBit variant that operates as Ransomware-as-a-Service (RaaS). This LockBit variant has an enhanced propagation component, which has never been seen in this ransomware before, and will automatically distribute itself throughout a domain.

September 2021

Conti Ransomware (3rd Version)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Conti ransomware has been around since May 2020 and continues to affect a large number of companies. The FBI has linked the Conti ransomware attacks to a Russian persistent threat actor known as Wizard Spider. Conti distributes itself using BazarLoader and employs a multithreading approach to encrypt all of the files quickly. Conti is available in three different versions.

August 2021

HiveNightMare (aka SeriousSam) Vulnerability KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Privilege Escalation

HiveNightmare aka #SeriousSAM is a vulnerability (CVE-2021-36934) in Windows 10 and above (including Windows 11) that can be easily exploited by local non-admin users to gain admin privileges.

August 2021

GuardMiner Cryptocurrency Miner Operation Disclosed

Affected Platforms: Systems running Windows operating system
Threat Type: Baking Trojan, information stealer
Impacted Parties: Windows users
Threat Type: Baking Trojan, information stealer
Impact: Credential theft, data exfiltration
Severity Level: Critical

The FortiGuard Responder team analyzed patterns in post exploitation activity associated with MS SQL compromises within FortiEDR platforms. The campaign the MDR team observed is related to the GuardMiner.

August 2021

PrintNightmare Vulnerability CVE-2021-34527 KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Privilege Escalation

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the disclosure of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service. This critical vulnerability has been dubbed PrintNightmare and is assigned CVE-2021-34527.

August 2021

Juicy Potato Hacking Tool Discovered on Compromised Web Servers

Affected Platforms: Systems running Windows operating system
Threat Type: Local privilege escalation
Impacted Parties: Windows users
Impact: Allows an attacker to gain system-level privileges to run any arbitrary commands
Severity Level: Critical

JuicyPotato (also known as SharpPotato and SweetPotato) is a weaponized version of RottenPotatoNG, a Windows privilege-escalation hacking tool.

July 2021

Kaseya VSA Attack

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Supply chain attack with escalated privileges

CISA released guidance earlier this weekend which identifies a suspected supply-chain attack on the Kaseya VSA application. Kaseya VSA is a commercial tool used for remote management and administration of a network.

July 2021

New Post-infection Activity of Lemon Duck Botnet Discovered

Affected Platforms: Systems running Windows operating system
Threat Type: Cryptocurrency mining botnet
Impacted Parties: Windows and Linux users
Impact: Data exfiltration to attacker-operated command and control servers, cryptocurrency mining by taking advantage of the compromised system resources
Severity Level: Critical

Lemon Duck is a modular crypto-mining botnet with worm-like spreading capability. This botnet has been active since December 2018, targeting victims across the globe, including North America, South America, Africa, Europe, and Southeast Asia.

July 2021

IcedID (a.k.a BokBot) Infections On The Rise

Affected Platforms: Systems running Windows operating system
Threat Type: Baking Trojan, information stealer
Impacted Parties: Windows users
Impact: Credential theft, data exfiltration
Severity Level: Critical

IcedID (also known as BokBot) is a banking Trojan that gets distributed through phishing email campaigns. This banking Trojan targets victims to steal financial information, including payment card details, login credentials, and banking information.

July 2021

Revil Ransomware (aka Sobinokibi)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

The Revil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi surfaced shortly before GandCrab’s authors supposedly retired and quickly became one of the biggest ransomware threats.