Nearly 1 million Fortinet and SonicWall devices with actively exploited vulnerabilities are exposed on the internet, according to Cyble’s weekly vulnerability report published today.
The report also looked at dark web exploits and vulnerabilities in Grafana Labs and CyberPanel, and a separate Cyble blog reported active cyberattacks on WordPress plugins, IoT devices and VNC and RDP remote access ports detected by the threat intelligence company’s honeypot sensors.
‘FortiJump,’ FortiOS CVEs Under Attack
Cyble scanners identified nearly 500,000 Fortinet devices and instances exposed to two actively exploited vulnerabilities, including 62,000 FortiManager instances and 427,000 internet-facing Fortinet devices.
CVE-2024-47575, also known as “FortiJump,” is the most recent of the two exploited vulnerabilities. The FortiManager flaw could let a threat actor execute arbitrary code or commands via specially crafted requests. The vulnerability has been exploited since at least June, and for 10 or more days before the CVE was disclosed, security researchers and FortiManager users were reporting attacks on an unnamed zero-day vulnerability in the product.
Cyble reported that Fortinet notified customers of a FortiManager vulnerability and provided some recommended mitigations a week before the CVE was released, but as some customers said they didn’t get that communication, Fortinet’s advisory process might need some fine-tuning.
Cyble researchers also observed threat actors on a cybercrime forum discussing exploits of CVE-2024-23113, a critical vulnerability in multiple versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager that could allow for remote exploits by unauthenticated attackers.
SonicWall, CyberPanel Flaws Exploited in Ransomware Attacks
Cyble detected more than 486,000 SonicWall devices exposed to CVE-2024-40766, a 9.8-severity improper access control vulnerability in the administrative interface and controls of the SonicOS operating system used for managing SonicWall devices and firewalls. Managed security firm Arctic Wolf has reported that Fog and Akira ransomware operators are exploiting the vulnerability in SSL VPN environments.
CyberPanel instances have been hit by mass ransomware and cryptominer attacks thanks to a pair of 10.0-severity vulnerabilities, CVE-2024-51567 and CVE-2024-51568. The open-source web hosting control panel is used to simplify server management, particularly for those using the LiteSpeed web server. Of nearly 33,000 exposed CyberPanel instances detected by Cyble, more than half have been hit in the attacks.
Cyble also reported on CVE-2024-9264, a 9.4-severity vulnerability in the SQL Expressions experimental feature of the Grafana open-source analytics platform, and CVE-2024-46483, a critical integer overflow vulnerability in Xlight FTP Server.
Cyble Sensors Detect Attacks on WordPress Plugins, IoT Devices
Cyble’s sensor intelligence report, meanwhile, revealed active attacks on the LightSpeed Cache and GutenKit WordPress plugins.
Older vulnerabilities in hard-to-update IoT devices used in industrial and critical environments remain under very high levels of attack, including a Treck TCP/IP vulnerability that was targeted 361,000 times in the most recent report.
Cyble also detailed attacks and brute-force attempts on RDP (port 3389) and Virtual Network Computing (VNC, port 5900) remote access protocols and ports – RDP in particular has been targeted in a recent Russian “Midnight Blizzard” campaign against Ukraine.
