Happy Friday! As a quick reminder, this is a lighter week as VulnCheck observed a holiday Monday and a company-wide offsite for three days. The follow are the release notes from the Initial Access Intelligence team over the last week:
Exciting movement for this vulnerability. Two public exploits have been released, but only one with a working Fortigate signed certificate needed to impersonate a Fortigate device. The team delivered Snort and Suricata threat signatures covering both parts of the attack chain, registering as a Fortigate device and sending remote commands to execute, along with a signature for the certificate included in the public proof of concept that we believe be heavily reused in attacks to come. The team is actively developing a validation check and an exploit to release in the coming days.
The team has developed search engine queries and a version scanner for Netgear WAX206 affected by CVE-2024-20017 (a memory corruption issue affecting a proprietary Mediatek binary). The team is projected to deliver a full exploit and associated artifacts next week.
Tracking of RedGuard C2 Redirector was as added under the C2 tag. RedGuard is a popular red teaming tool and has been associated with threat actors such as Earth Krahang. Additionally, tracking of ngrok was added under the proxy tag. ngrok is both commercially available and open source and has been associated with attackers such as ToddyCat.