Skip to content Skip to navigation Skip to footer

FortiGuard Threat and Incident Notifications

Boots on the ground insight into real-world cyber campaigns

联系我们

News on Trending Threats and Incidents

While high-profile cyber campaigns periodically capture global attention and news cycles, there is a steady stream of trending threats and incidents that impact individual organizations on a daily basis.

These are situations routinely encountered by our FortiGuard Responder Services team that enables organizations to conduct 24x7 continuous cyber threat monitoring, analysis, and alert triage, as well as incident response and forensic investigation. Here we provide insight into recent threat actor tactics and corresponding techniques from our seasoned experts as well as through the lens of our powerful FortiEDR endpoint detection and response investigation tool.

There are two types of resources:

FortiGuard Responder Knowledge Base (KB) Articles

Quick analysis on trending threats and or zero day campaigns. KB articles contain:

  • Threat description
  • Insight into tactics and techniques, as identified by FortiEDR
  • Specific threat hunting queries to use to search your environment
  • Mapping to MITRE ATT&CK TTPs
FortiGuard Responder Incident Analysis (IA)

Deeper analysis on incidents observed in live production environments. The IA contains:

  • Affected platforms, threat type, impacted users, impact, severity
  • Threat overview with Cyber Kill Chain analysis
  • In-depth analysis of threat tactics and techniques
  • Specific threat-hunting queries
  • Mitre ATT&CK TTPs observed along with available mitigations and Fortinet Security Fabric controls

Latest FortiGuard Responder Notifications

September 2022
Racoon Stealer v2

Racoon Stealer v2

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Stealer

Racoon Stealer v2 is the most recent iteration of the Racoon Stealer information stealer. Racoon Stealer operators use the Malware-as-a-service (MaaS) model and sell access to their tool through the dark web. The tool has extensive features that allow it to steal files, passwords and crypto information from infected endpoints. This article examines a recent Racoon Stealer v2 sample to demonstrate how FortiEDR detects and mitigates its operation.

August 2022
Agent Tesla Stealer

Agent Tesla Stealer

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Stealer

Agent Tesla is an information stealer sold as a software as a service offering. Agent Tesla has in-built functionality that allows operators to build custom payloads to be deployed through phishing campaigns. This article takes a look at one such campaign from late July detected and mitigated by the FortiGuard Responder team, and highlights how FortiEDR protects against this threat.

August 2022
PurpleFox Rootkit

PurpleFox Rootkit

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Rootkit

PurpleFox is a family of malware most commonly known for its rootkit capabilities. PurpleFox was first identified in 2018 and has continued to be employed as part of global phishing campaigns since. This article examines how FortiEDR detects and mitigates various stages of the rootkits operation and installation process and looks at how Threat Hunting can be used to identify some key behaviors exhibited by the analyzed sample.

August 2022
Dogwalk Vulnerability

Microsoft Diagnostic Tool 'Dogwalk' Vulnerability

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: RCE Vulnerability

Dogwalk is the name given to CVE-2022-30190, a remote code execution (RCE) vulnerability in the Microsoft Diagnostic Tool. Whilst this is a vulnerability in the same Microsoft tool as the 'Follina' vulnerability identified earlier in the year these are not directly related. This vulnerability was first disclosed in January 2020 but was not acknowledged by Microsoft as a vulnerability until August 2022. This short article explains how FortiEDR provides detection and mitigation for post-exploitation activity related to this vulnerability and explains the attack chain associated with exploitation of this vulnerability.

July 2022
Analyzing MSSQL brute-force post-exploitation

Analyzing MSSQL Intrusion: AutoIt Obfuscation and Injected Remcos

Affected Platforms: Machines running Windows operating system
Threat Type: Remote Access
Impacted Users: Windows Users
Impact: Remote Access/Follow-up activity
Severity: Medium

 

This article analyses post-exploitation activity on an MSSQL server that was a victim of a number of brute-force attacks. The post-exploitation activity involves a unique process chain that employs the AutoIt scripting interpreter and a heavily obfuscated AutoIt script to execute a Remcos executable within a hollowed process. This article includes FortiEDR Threat Hunting queries, MITRE ATT&CK mappings and IOCs to support threat hunting activities.

June 2022
Mindware Ransomware

Mindware Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Mindware are a new ransomware group that emerged in the last quarter of 2021. The group employs their own ransomware that appears to have similarities with SFile2. The group targets organisations from various industries across the globe with double extortion through stolen data and ransomware enabled data encryption. This article analyzes some features of the ransomware employed by the group and highlights how FortiEDR detects and mitigates this threat.

June 2022
CrimsonRAT Remote Access Tool

CrimsonRAT Remote Access Tool

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Access Tool

CrimsonRAT is a Remote Access Trojan (RAT) which targets Windows endpoints and has been employed by threat actors to access infected endpoints to capture screenshots, steal credentials and gather information. CrimsonRAT is also known as SEEDOOR and Scarimson. CrimsonRAT campaigns (June 2021) targeting Indian government networks have been attributed to the threat actor group Transparent Tribe, a suspected Pakistan affiliated actor. This article takes a deeper dive into behavior exhibited by this RAT and how FortiEDR can be used to detect and mitigate its deployment and operation.

June 2022
Confluence Vulnerability (CVE-2022-26134)

Confluence Vulnerability (CVE-2022-26134)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: RCE Vulnerability

On 02 June 2022 Atlassian released an advisory for a critical OGNL injection vulnerability in their Confluence product that allows for Remote Code Execution (RCE). This vulnerability is currently being used by numerous threat actors as an alternative initial access method and is rapidly being substituted into existing campaigns.FortiEDR provides protection from all currently tracked post-exploitation TTPs related to this CVE. This article walks through what this post-exploitation activity looks like and how FortiEDR keeps endpoints protected.

May 2022
Microsoft Diagnostic Tool 'Follina' Vulnerability (CVE-2022-30190)

Microsoft Diagnostic Tool 'Follina' Vulnerability (CVE-2022-30190)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: RCE Vulnerability

The 'Follina' vulnerability (CVE-2022-30190), a RCE vulnerability in Microsoft Office protocol and the Microsoft Diagnostic Tool, was flagged by Microsoft on 30 May 2022. This RCE vulnerability is currently being employed by numerous threat actors as a replacement for macro based execution in malicious phishing attachments and remains unpatched. This article provides some context of the vulnerability and demonstrates how FortiEDR provides behavior based protection from this vulnerability OOTB.

May 2022
MicroBackdoor Remote Access Tool

MicroBackdoor Remote Access Tool

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Access Tool

MicroBackdoor is an open-source C2 tool (backdoor) that has been employed by a Belarusian attributed actor targeting victims in Ukraine. This article describes the associated attack chain as well as a more technical dive into the various layers of VBScript that lead to the execution of the MicroBackdoor payload, and demonstrates how FortiEDR offers protection from this tool.

April 2022
Analyzing Emotet Activity

Analyzing Emotet Activity

 

Affected Platforms: Machines running Windows operating system
Threat Type: Trojan/Malware Loader
Impacted Users: Windows Users
Impact: Data exfiltration/Follow-up activity
Severity: Critical

 

Emotet is a trojan typically employed as a first stage loader for secondary C2. In this article will dive into Emotet’s activities observed in the wild, mapping IOCs and TTPs to the cyber kill chain and the MITRE ATT&CK framework, as well as taking a deeper dive into an Emotet sample from a recent campaign to understand how some of it's code features exhibit themselves in endpoint behaviour.

March 2022
AvosLocker Ransomware

AvosLocker Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

AvosLocker is a new ransomware and extortion gang appearing on the ransomware scene in late 2021. AvosLocker has been known to target organizations responsible for managing critical infrastructure. This article demonstrates how FortiEDR can detect and mitigate the execution of AvosLocker ransomware out of the box.

March 2022
BlackCat (ALPHV) Ransomware

BlackCat (ALPHV) Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

BlackCat (aka ALPHV, AlphaVM) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. Due to the use of Rust, BlackCat ransomware is cross-platform and achieves faster encryption speed than some other Ransomware. This article will analyze FortiEDR detections and mitigation coverage for this ransomware variant and its post-execution behavior.

February 2022
HermeticWiper (KillDisk)

HermeticWiper (KillDisk)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Wiper

On 23 Feb 2022 numerous organizations within Ukraine were targeted with attacks employing ‘KillDisk’ or ‘HermeticWiper’ malware. Once executed this malware corrupts the master boot record (MBR) of the target endpoint rendering it unusable. This article highlights how FortiEDR detects and blocks behaviour wiper activity performed by this malware.

January 2022
Spook Ransomware

Spook Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Spook ransomware is the Prometheus ransomware variant currently employed by the Spook ransomware group. The group began operating in late Sep 2021 and has performed a number of large scale compromises across the globe. In this article, we will take a look into the ransomware’s behaviour and see how FortiEDR protects against it.

January 2022
MSBuild Proxy Execution

TTP Analysis: MSBuild Proxy Execution

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Defense Evasion Technique

The FortiGuard Responder team has observed attempts to employ a proxy execution technique that uses the Microsoft MSBuild to deploy Cobalt Strike beacons throughout customer environments. This article will demonstrate how FortiEDR protects against the use of this proxy execution technique and will analyze a sample observed in the wild.

January 2022
Qakbot

Analyzing MirrorBlast Proxy Execution Techniques

Affected Platforms: Machines running Windows operating system
Threat Type: Data Exfiltration
Impacted Users: Windows Users
Impact: Credential dumping, data exfiltration
Severity: Critical

MirrorBlast is a malware loader family typically deployed through phishing campaigns. MirrorBlast employs a number of unique proxy execution techniques that take advantage of both the KiXtart and Rebol scripting languages. This article includes technical analysis and IOCs related to samples collected from a spike in C2 traffic in early 2022.

December 2021
CetaRAT Remote Access Tool

CetaRAT Remote Access Tool

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Access Tool

CetaRAT is a Remote Access Trojan (RAT) that has seen a recent spike in activity targeting Indian government agencies. Recently observed CetaRAT activity indicates it has been used to exfiltrate sensitive information from infected systems. This article will demonstrate how FortiEDR detects and blocks this malware.

December 2021
Qakbot

Analyzing Qakbot Banking trojan Activity

Affected Platforms: Machines running Windows operating system
Threat Type: Data Exfiltration
Impacted Users: Windows Users
Impact: Credential dumping, data exfiltration, pathway to ransomware
Severity: Critical

Qakbot, also known as Qbot, PinkslipBot, or QuackBot, has been active for more than a decade. Its modular approach in employing defensive evasion techniques makes it very resilient to detection from traditional security products. A mixture of different code injections techniques adds to the complexity of its analysis. This article includes technical analysis and IOCs related to a recent sample.

December 2021
Mitigating Log4shell Post Exploitation Activity

Mitigating Log4shell Post Exploitation Activity KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Code Execution

A critical remote code execution vulnerability in Apache Log4j is actively being exploited in the wild. The vulnerability is due to insufficient input validation and sanitization, which allows any user input that gets logged to lead to remote code execution.

December 2021
Netlogon

Netlogon Vulnerability (ZeroLogon) - CVE-2020-1472

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Local Privilege Escalation

ZeroLogon is the name given to CVE-2020-1472, a critical elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol (MS-NRPC). Zerologon is actively being exploited in the wild for credential access and remote code execution on Windows Domain controllers and has become a key part of many adversarys intrusions.

December 2021
Windows Installer

Windows Installer Vulnerability - CVE-2021-41379

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Local Privilege Escalation

A vulnerability in Windows Installer that allows for Local Privilege Escalation (LPE) on vulnerable endpoints allowing an adversary the ability to execute code as SYSTEM. Microsoft's initial attempts at patching the vulnerability were ineffective and POC code is readily available that is still effective on fully patched systems.

November 2021
Hive Ransomware

New ProxyShell Post Exploitation Activity

Affected Platforms: Windows Endpoints, Vulnerable Microsoft Exchange Servers
Threat Type: Cryptomining
Impacted Users: Windows users
Impact: Cryptocurrency mining by taking advantage of the compromised system resources
Severity: Medium

The ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) have been aggressively targeted across the globe since late August 2021 with vulnerable servers often being compromised by multiple actors simultaneously. This article takes a deep dive into some unique TTPs employed by one of these actors as part of an investigated incident

October 2021
Malware

Mitigating Unknown .NET Malware KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Cryptojacking

The use of .NET malware by adversaries continues to grow and with it the need to be able to detect, analyse and mitigate behaviour associated with such threats. This article examines a new set of .NET malware variants observed by the FortiGuard Responder team in the wild used for lateral movement and persistence as a precursor to deployment of cryptoming software.

September 2021
Hive Ransomware

Hive Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

A new threat group named Hive that deploys a ransomware variant of the same name have begun to ramp-up operations around the globe. Notable recent intrusions in North America have propelled this group into the sights of the cybersecurity community.

September 2021

MSHTML Vulnerability – CVE-2021-40444

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Code Execution

Microsoft has released a patch, mitigations, and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in MSHTML that affects Microsoft Windows. Exploitation of this vulnerability allows a remote attacker to take control of an affected system by using specially-crafted Microsoft Office documents. This vulnerability has been detected in exploits in the wild.

September 2021

LockBit Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

LockBit 2.0 is a new LockBit variant that operates as Ransomware-as-a-Service (RaaS). This LockBit variant has an enhanced propagation component, which has never been seen in this ransomware before, and will automatically distribute itself throughout a domain.

September 2021

Conti Ransomware (3rd Version)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Conti ransomware has been around since May 2020 and continues to affect a large number of companies. The FBI has linked the Conti ransomware attacks to a Russian persistent threat actor known as Wizard Spider. Conti distributes itself using BazarLoader and employs a multithreading approach to encrypt all of the files quickly. Conti is available in three different versions.

August 2021

HiveNightMare (aka SeriousSam) Vulnerability KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Privilege Escalation

HiveNightmare aka #SeriousSAM is a vulnerability (CVE-2021-36934) in Windows 10 and above (including Windows 11) that can be easily exploited by local non-admin users to gain admin privileges.

August 2021

GuardMiner Cryptocurrency Miner Operation Disclosed

Affected Platforms: Systems running Windows operating system
Threat Type: Baking Trojan, information stealer
Impacted Parties: Windows users
Threat Type: Baking Trojan, information stealer
Impact: Credential theft, data exfiltration
Severity Level: Critical

The FortiGuard Responder team analyzed patterns in post exploitation activity associated with MS SQL compromises within FortiEDR platforms. The campaign the MDR team observed is related to the GuardMiner.

August 2021

PrintNightmare Vulnerability CVE-2021-34527 KB

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Privilege Escalation

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the disclosure of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service. This critical vulnerability has been dubbed PrintNightmare and is assigned CVE-2021-34527.

August 2021

Juicy Potato Hacking Tool Discovered on Compromised Web Servers

Affected Platforms: Systems running Windows operating system
Threat Type: Local privilege escalation
Impacted Parties: Windows users
Impact: Allows an attacker to gain system-level privileges to run any arbitrary commands
Severity Level: Critical

JuicyPotato (also known as SharpPotato and SweetPotato) is a weaponized version of RottenPotatoNG, a Windows privilege-escalation hacking tool.

July 2021

Kaseya VSA Attack

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Supply chain attack with escalated privileges

CISA released guidance earlier this weekend which identifies a suspected supply-chain attack on the Kaseya VSA application. Kaseya VSA is a commercial tool used for remote management and administration of a network.

July 2021

New Post-infection Activity of Lemon Duck Botnet Discovered

Affected Platforms: Systems running Windows operating system
Threat Type: Cryptocurrency mining botnet
Impacted Parties: Windows and Linux users
Impact: Data exfiltration to attacker-operated command and control servers, cryptocurrency mining by taking advantage of the compromised system resources
Severity Level: Critical

Lemon Duck is a modular crypto-mining botnet with worm-like spreading capability. This botnet has been active since December 2018, targeting victims across the globe, including North America, South America, Africa, Europe, and Southeast Asia.

July 2021

IcedID (a.k.a BokBot) Infections On The Rise

Affected Platforms: Systems running Windows operating system
Threat Type: Baking Trojan, information stealer
Impacted Parties: Windows users
Impact: Credential theft, data exfiltration
Severity Level: Critical

IcedID (also known as BokBot) is a banking Trojan that gets distributed through phishing email campaigns. This banking Trojan targets victims to steal financial information, including payment card details, login credentials, and banking information.

July 2021

Revil Ransomware (aka Sobinokibi)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

The Revil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi surfaced shortly before GandCrab’s authors supposedly retired and quickly became one of the biggest ransomware threats.