Introduction
In the realm of cybersecurity, vigilance is not just recommended; it's mandatory. The recent disclosure of CVE-2024-21762, an out-of-bound write vulnerability in FortiOS/FortiProxy's sslvpnd, underscores this reality. Released on February 8, 2024, this vulnerability has left more than 150,000 firewalls exposed to potential exploitation.
Understanding CVE-2024-21762
CVE-2024-21762 poses a significant risk, enabling unauthorized actors to execute arbitrary code or disrupt services through a specially crafted SSL VPN request. This vulnerability's discovery and the subsequent release of a patch by Fortinet signal the critical nature of the threat and the need for immediate action by network administrators.
Threat Actors Selling Access to FortiGate Devices
Also, multiple threat actors have come up to sell access to FortiGate devices. This emergent black market for network access signifies a heightened threat level for organizations using FortiGate firewalls, especially those who have not yet applied the critical CVE-2024-21762 patch.
Threat Actor and Forum Activity Exposed
Our analysis conducted confirm that access were started being sold beginning from March 6th, 2024, has identified a total of 32 distinct instances where access to compromised devices was sold.
BreachForums has emerged as the primary marketplace for these illicit activities, highlighting the need for increased surveillance and control measures on these platforms.
The accompanying bar chart below succinctly summarizes the activity of both the threat actors and the forums involved, underlining the critical areas of focus for cybersecurity efforts.
The Market of Exploits
What's more alarming is the commercialization of this vulnerability. Exploits are now being sold for around 300 dollars in bitcoin, making it accessible to a wide range of malicious actors. Forums such as BreachForums, XSS.is, and Raid Forum have become hotspots for such transactions, with over 32 posts from 5 different threat actors selling access to compromised FortiGate devices.
Immediate Steps for Mitigation:
- Patch Application: If you haven't already, applying the patch released by Fortinet is the first and most crucial step. Delaying this action leaves your network at an unacceptable risk.
- Penetration Testing: Regular penetration testing can uncover potential vulnerabilities before they can be exploited. In light of CVE-2024-21762, conducting a thorough penetration test should be a priority.
- Monitoring and Response: Stay vigilant. Monitor your network for any unusual activity and have a response plan in place. Early detection can mitigate the damage caused by a successful exploit.
Conclusion
The disclosure of CVE-2024-21762 serves as a reminder of the ever-present threats in the digital landscape. As we navigate these turbulent waters, the importance of proactive measures and robust security protocols cannot be overstated. By taking immediate action and adhering to best practices, we can shield our networks from harm and maintain the integrity of our digital infrastructures. For more detailed information and guidance, visit FortiGuard Labs at https://www.fortiguard.com/psirt/FG-IR-24-015.
