Threat
alerts

Threat actor group “Midnight Blizzard” has been recently observed targeting several industries and sectors in a new highly sophisticated spear-phishing campaign that contains a signed Remote Desktop Protocol (RDP) configuration file. This operation targets individuals in government and non-governmental organizations across over 100 entities.

A critical vulnerability has been identified in the FortiManager fgfmd daemon, allowing remote unauthenticated attackers to execute arbitrary code or commands. The missing authentication vulnerability has been actively exploited in the wild, posing a severe risk to organizations using FortiManager and FortiAnalyzer models.

Ivanti issued a security update for three new zero-day vulnerabilities in its Cloud Services Appliance (CSA), which are being reported as exploited. These are tracked under CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381.

Broadcom has patched a critical vulnerability in VMware vCenter Server, which could allow attackers to achieve remote code execution (RCE) by exploiting a heap overflow flaw in the DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol. The vulnerability allows unauthenticated attackers to send specially crafted network packets to unpatched servers, leading to potential system compromise.

Palo Alto’s Unit 42 team has uncovered a WikiLoader loader variant delivered via SEO poisoning and spoofing their GlobalProtect VPN tool. Threat actors exploit users’ trust when downloading software by closely mimicking the legitimate download page. SEO poisoning and malicious ads are increasingly becoming a technique used by attackers to effectively deliver loaders to endpoints. The sophisticated campaign employs two stages: the infection process and leveraging advanced command-and-control (C&C) infrastructure.