This week’s briefing covers:

00:00 - Intro and Situational Awareness

Kroll Out of Band Published - FortiOS and FortiProxy
Kroll Threat Intelligence has published an out of band report on CVE-2024-55591 affecting FortiOS and FortiProxy. The vulnerability has a CVSS score of 9.8 and has been exploited in the wild.

Malicous NPM Packages Added
Snyk a security company focusing on application secure development has been observed adding malicious packages to JavaScript’s prominent open-source repository, NPM. The packages acted similar to information stealers, in that they would collect and exfiltrate data about the running system, including environment variables which are often used to hold data such as private keys.

59 Cleo Victim Organizations Released by CL0P
CL0P has released approximately 59 victim organizations from the Cleo zero-day vulnerability breach. At the time of writing, no files are available to download for these companies.

FastHTTP Utilized in High Speed Microsoft 365 Password Attacks
Researchers have uncovered a campaign utilizing the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally. The attacks began on January 6, 2025, targeting the Azure Active Directory Graph API.

4:28 – FortiGate Firewall Configurations Leaked
Key Takeaways

• On January 14, 2025, a new threat actor using the moniker 'Belsen_Group' posted a data dump of FortiGate Firewall configurations.
• The data dump contains a 1.6 GB archive containing 15,574 folders. Each folder name contains compromised configurations files in the name format “[IP]_[PORT]”.
• Our analysis thus far suggests the data is likely collected from mass exploitation of CVE-2022-40684 and was likely collected between 2022 and 2023, and is not related to recent exploitation of Fortinet devices using CVE-2024-55591.
• Near term exploitation of this information is highly likely.

7:41 – Microsoft Patch Tuesday
Microsoft has fixed 210 vulnerabilities in January’s patch cycle and Microsoft Edge releases.

11:56 – CVE-2024-44243 - MacOS System Integrity Protection (SIP) Bypass
A local macOS vulnerability (CVE-2024-44243) was found in the Storage Kit daemon, storagekitd, allowing attackers with root privileges to bypass.

13:21 – Ransomware Roundup
CODEFINGER Ransomware Abuses AWS to Encrypt S3 Buckets
A campaign by a new group dubbed CODEFINGER ransomware has been observed abusing Amazon Web Services (AWS) to encrypt the content of S3 buckets. The group used publicly disclosed or previously compromised AWS keys with permissions to write and read S3 objects and initiated the process by calling the "x-amz-server-side-encryption-customer-algorithm" header whilst using an AES-256 key they had generated.

FUNKSEC Ransomware Created Using AI
FUNKSEC ransomware, initially reported on by Kroll in December 2024, is a file-encrypting malware written in Rust that was likely created with the use of AI. FUNKSEC participates in double extortion campaigns under their ransomware-as-a-service (RaaS) model.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats