Citrix and Fortinet patch zero-days exploited in APT and ransomware campaigns

Updated on 2022-12-15: Citrix and Fortinet patch zero-days exploited in APT and ransomware campaigns

Citrix and Fortinet, two of today’s largest providers of enterprise networking equipment, have released security updates to patch two zero-day vulnerabilities that were exploited in the wild against their devices.

The Fortinet zero-day (CVE-2022-42475) is an unauthenticated RCE that impacts the FortiOS operating system that runs on the company’s SSL-VPN devices. According to reports, the vulnerability was being exploited to gain access to corporate networks and then deploy ransomware. This zero-day was first spotted exploited in the wild by French security firm Olympe last week, and Fortinet deserves some credit for patching it over the weekend in just three days.

Similarly, the Citrix zero-day (CVE-2022-27518) is also an unauthenticated RCE as well. It impacts the company’s ADC and Gateway devices, and the exploitation was spotted by none other than the US National Security Agency.

Overview: Citrix and Fortinet patch zero-days exploited in APT and ransomware campaigns

Citrix and Fortinet, two of today’s largest providers of enterprise networking equipment, have released security updates to patch two zero-day vulnerabilities that were exploited in the wild against their devices.

The Fortinet zero-day (CVE-2022-42475) is an unauthenticated RCE that impacts the FortiOS operating system that runs on the company’s SSL-VPN devices.

According to reports, the vulnerability was being exploited

to gain access to corporate networks and then deploy ransomware. Sadly, we couldn’t get anyone to spill the beans on which ransomware gang was behind this.

This zero-day was first spotted exploited in the wild by French security firm Olympe last week, and Fortinet deserves some credit for patching it over the weekend in just three days.

Similarly, the Citrix zero-day (CVE-2022-27518) is also an unauthenticated RCE as well. It impacts the company’s ADC and Gateway devices, and the exploitation was spotted by none other than the US National Security Agency.

In a security advisory [PDF], the NSA said it saw the APT5 (UNC2630, MANGANESE) Chinese cyber-espionage group leveraging the Citrix zero-day but did not elaborate on targeting.

In a rare and very surprising step, the NSA released IOCs from its investigations and asked the cybersecurity industry to share additional insights they have or find related to this zero-day’s exploitation “in order to enhance understanding of this activity and so that it can be used to improve the overall security posture of the Defense Industrial Base, DoD, and USG.”

In addition, yesterday was also the December Patch Tuesday. This month, we had security updates released by Adobe, Android, Apple, Microsoft, Mozilla, SAP, VMware, and others.

Microsoft fixed 72 security flaws this month, including a zero-day tracked as CVE-2022-44698 that was used by threat actors to bypass Microsoft’s SmartScreen and Mark-of-the-Web technologies using standalone JavaScript files.

The OS maker also issued a general security advisory regarding recent incidents where drivers certified by Microsoft’s Windows Hardware Developer Program were used in malicious intrusions to deploy malware that appeared to come from drivers signed by Microsoft.

“We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity. This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”

Notable, the Hive and Cuba ransomware strains were deployed using drivers “signed by Microsoft” in some attacks, according to reports from SentinelOne and Sophos. Mandiant also has a report out on these attacks but does not mention ransomware being deployed, linking all malicious activity to a financially-motivated group it tracks as UNC3944.

Oh… and the Apple security updates also fix a WebKit zero-day (CVE-2022-42856) that was used in targeted against iOS users. So don’t forget to update your iPhones this week.