پارتیان
محصولات
نرم‌افزار سیبتا
فورتی نت
فهرست محصولات فورتی‌نت
معرفی فورتی گیت
معرفی فورتی کلاینت
معرفی فورتی وب
معرفی فورتی آنالایزر
معرفی فورتی میل
معرفی فورتی نت دمو
راهکارها
آپدیت فورتی گیت
آپدیت فورتی وب
امنیت در شبکه
امنیت در وب سایت
امنیت در وب سرویس
خدمات
مشاوره و طراحی
تامین تجهیزات
اجرا و پیاده سازی
امنیت
پشتیبانی
آموزش
اخبار و مقالات
آسیب‌پذیری
تکنولوژی و امنیت
رویدادهای امنیتی
گوناگون
دانلود
دانشنامه
ارتباط با ما
فرصت های شغلی
تماس با ما
درباره ما

FortiGuard Labs | FortiGuard Center - Threat Signal Report

The Threat Signal created by the FortiGuard Labs is intended to provide you with insight on emerging issues that are trending within the cyber threat landscape. The Threat Signal will provide concise technical details about the issue, mitigation recommendations and a perspective from the FortiGuard Labs team in an FAQ style format.

What is the Attack?

A newly disclosed vulnerability, CVE-2026-32202, has emerged due to an incomplete patch by Microsoft for a previously exploited remote code execution flaw (CVE-2026-21510). While the original update addressed both RCE and SmartScreen bypass, it failed to eliminate a residual zero-click NTLM authentication coercion issue. This allows attackers to silently force a victim system to authenticate against a malicious server without user interaction.

The threat activity has been linked to APT28 (also known as Fancy Bear / UAC-0001), which began exploiting the original vulnerability chain in December 2025, targeting organizations across Ukraine and the EU. Evidence confirms exploitation in the wild as early as January 2026, prior to Microsoft’s February Patch Tuesday release.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued remediation directives to federal agencies, citing confirmed zero-day exploitation involving CVE-2026-32202.

Vulnerability Chain Overview
The attack chain combines multiple flaws within crafted LNK files:
CVE-2026-21510 – Remote Code Execution (pre-patch)
CVE-2026-21513 – Malicious LNK file handling flaw
CVE-2026-32202 – Residual zero-click NTLM authentication coercion (post-patch)

What is the recommended Mitigation?

Mitigation & Recommendations

  • Apply the latest Microsoft patches addressing CVE-2026-32202 and related vulnerabilities

  • Disable or restrict NTLM authentication where possible

  • Implement SMB signing and enforce Extended Protection for Authentication (EPA)

  • Monitor for anomalous outbound authentication attempts (e.g., SMB/HTTP to untrusted hosts)

  • Block or inspect suspicious LNK file delivery vectors

Detection Opportunities

  • Outbound NTLM authentication attempts to unknown or external IPs

  • Suspicious LNK file execution or delivery patterns

  • Indicators tied to known APT28 infrastructure or tactics

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS provides coverage to detect and block exploitation attempts targeting CVE-2026-32202. Intrusion Prevention | FortiGuard Labs

• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity, including detection of suspicious LNK file execution, abnormal authentication behavior, and attempts to coerce outbound NTLM authentication to attacker-controlled infrastructure.

• FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching, eliminating manual processes while reducing the attack surface for CVE-2026-21510, CVE-2026-21513, and CVE-2026-32202 .
Endpoint Vulnerability | FortiGuard Labs
Endpoint Vulnerability | FortiGuard Labs
Endpoint Vulnerability | FortiGuard Labs

• FortiGuard Incident Response: Organizations that suspect exposure to exploitation activity linked to APT28 or these vulnerabilities should engage FortiGuard Incident Response for rapid investigation, credential exposure assessment, containment, and remediation.

• FortiGuard Web Filtering: Blocks access to known malicious domains and attacker-controlled servers used for NTLM hash capture, payload delivery, and command-and-control communication

What is the Vulnerability?

CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The flaw resides in the exposed Jolokia JMX-HTTP interface and allows attackers to execute arbitrary commands on the underlying system via crafted broker management requests.

Recent reporting indicates that this vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating its priority for remediation.

What is the recommended Mitigation?

• Immediate Actions: Upgrade to:
ActiveMQ 5.19.4+
ActiveMQ 6.2.3+

• Restrict access to ActiveMQ web console (port 8161)
• Disable or tightly restrict Jolokia API
• Enforce strong authentication; remove default credentials
• Limit MBean execution permissions
• Place management interfaces behind VPN or internal networks
• Monitor for abnormal Jolokia API usage
• Inspect logs for MBean exec calls
• Track outbound connections to untrusted hosts
• Use EDR to detect suspicious Java child processes

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2026-34197.

• FortiGuard Antivirus & Behavior Detection: Protects against known malware and leverages advanced behavioral analysis to detect suspicious activity, including abnormal process execution originating from exploited ActiveMQ services.

• FortiGuard Incident Response: Organizations that suspect exposure or compromise involving vulnerable Apache ActiveMQ instances should engage FortiGuard Incident Response for rapid investigation, containment, and remediation.

• FortiGuard Web Filtering: Prevent access to malicious payload hosting.

What is the Attack?

Microsoft Threat Intelligence has identified Storm-1175, a financially motivated threat actor conducting high-tempo ransomware operations leveraging the Medusa ransomware variant. The group specializes in rapidly exploiting vulnerable web-facing systems, often weaponizing newly disclosed vulnerabilities (N-days) and even zero-days before public disclosure. Storm-1175 | Medusa ransomware operations | Microsoft Security Blog

A defining characteristic of this campaign is speed; attackers can move from initial access to full ransomware deployment within 24 hours, significantly reducing detection and response windows.

• Observed targeting includes:
Healthcare
Education
Financial services
Professional services

• Primary regions impacted:
United States
United Kingdom
Australia

What is the recommended Mitigation?

• Patch immediately: Prioritize newly disclosed vulnerabilities affecting internet-facing systems
• Reduce attack surface: Restrict or isolate exposed services and admin interfaces
• Monitor RMM usage: Detect abnormal use of tools like AnyDesk, ScreenConnect, or similar
• Harden identity security: Enforce MFA and monitor for anomalous account creation
• Enhance detection: Focus on early indicators such as unusual authentication, privilege escalation, and data movement

What FortiGuard Coverage is available?

• FortiGuard IPS Service: Detects and blocks exploit attempts targeting vulnerable web-facing assets.
• FortiGuard Antivirus & Behavior Detection: Identifies Medusa ransomware and suspicious post-exploitation activity.
• FortiGuard Labs Threat Intelligence: Continuously tracks Storm-1175 activity, emerging CVEs, and IOCs.
• FortiGuard Incident Response: Provides rapid containment, forensic investigation, and recovery support for impacted organizations.

What is the Attack?

Operation TrueChaos is a targeted cyber espionage campaign exploiting a zero-day vulnerability in the TrueConf video conferencing platform. The campaign primarily targets government entities in Southeast Asia by replacing a legitimate update with a malicious one. Threat actors effectively weaponized the product’s trusted update mechanism, transforming it into a covert malware distribution channel.

The campaign has been observed leveraging this flaw to deploy the open-source Havoc command-and-control (C2) framework to compromised endpoints, enabling persistent remote access, post-exploitation control, and lateral movement within affected environments.

On April 2, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-3502 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating the urgency for remediation.

What is the recommended Mitigation?

  • Immediate Actions:
    Upgrade TrueConf clients to version 8.5.3 or later (patched)
    Validate the integrity of internal update mechanisms

  • Detection & Hardening:
    Monitor for anomalous update behavior and execution flows
    Inspect internal server-to-endpoint traffic for suspicious payloads
    Deploy EDR to detect post-exploitation frameworks (e.g., Havoc)
    Enforce application allowlisting for update processes

  • Network & Architecture:
    Segment systems running collaboration tools
    Restrict administrative access to update servers
    Apply least privilege across endpoints

  • Threat Hunting Focus:
    Unexpected executable downloads from internal servers
    DLL sideloading patterns
    Unusual outbound connections from collaboration software

What FortiGuard Coverage is available?

  • FortiGuard IPS Coverage:
    FortiGuard provides detection coverage for Havoc-related activity through IPS signature Backdoor.Havoc.Agent (ID: 52655). This signature detects traffic associated with the Havoc C2 framework.

  • FortiGuard Endpoint Security (AV & Behavior Detection):
    FortiGuard provides detection coverage for malicious update-based execution, DLL sideloading techniques, and Havoc-related post-exploitation activity. Behavioral detection capabilities help identify abnormal process execution originating from trusted applications and detect unauthorized outbound C2 communications.

  • FortiGuard Incident Response:
    Organizations that suspect exposure to compromised TrueConf update infrastructure or potential exploitation of CVE-2026-3502 should engage FortiGuard Incident Response for rapid investigation, containment, and remediation. FortiGuard IR provides expert-led analysis to identify affected endpoints, trace malicious update propagation, and eradicate deployed payloads, including Havoc C2 agents.

  • FortiGuard Labs Threat Intelligence:
    FortiGuard Labs is actively monitoring Operation TrueChaos and related activity involving abuse of trusted software update mechanisms. This includes tracking exploitation of CVE-2026-3502, malicious update delivery techniques, DLL sideloading chains, and deployment of the Havoc command-and-control framework.

What is the Attack?

A software supply chain attack targeted the widely used JavaScript library Axios after an attacker reportedly compromised a maintainer’s npm account and published malicious package versions 1.14.1 and 0.30.4. These versions introduced a concealed dependency, plain-crypto-js@4.2.1, which executed during installation and deployed a cross-platform remote access trojan (RAT).

Axios is a widely adopted HTTP client for both browser and Node.js environments, with more than 100 million weekly downloads and extensive use across:

- Web applications
- Backend services
- CI/CD pipelines

The malicious versions were available for approximately 2–3 hours before being removed. Any system that executed npm install during that period and retrieved the affected versions should be treated as potentially fully compromised.

This is a high-impact software supply chain compromise that abused a trusted package distribution channel. By using a hidden dependency and install-time execution, the attacker enabled automated compromise at scale, with particular risk to developer workstations, build servers, and software delivery pipelines.

Microsoft Threat Intelligence has attributed this infrastructure and the Axios npm compromise to Sapphire Sleet, a North Korean state actor.

What is the recommended Mitigation?

To mitigate this vulnerability, users of affected packages should immediately downgrade to safe versions and audit their environments for indicators of compromise. Treat affected systems as fully compromised and perform the following actions:

  • Identify and remove:
    axios@1.14.1, axios@0.30.4
    plain-crypto-js
    Treat affected systems as fully compromised

  • Rotate:
    Credentials, tokens, API keys
    Rebuild environments from a trusted baseline

  • Enforce:
    Dependency pinning
    Install script restrictions (--ignore-scripts)
    Supply chain monitoring controls

What FortiGuard Coverage is available?

  • FortiCNAPP: Protects against the Axios npm supply-chain compromise by providing end-to-end visibility and threat detection across development, build, and runtime environments.

    At runtime, it uses behavioral analytics and composite alerts to flag suspicious processes, cross-platform RAT artifacts, and network communication with attacker infrastructure, enabling rapid identification and containment of compromised systems. Continuous threat intelligence updates ensure detection of evolving supply chain attacks, while automated prioritization and remediation guidance help organizations isolate affected hosts, remove malicious dependencies, and restore trusted development and production environments.

    Read the full solution: How does Lacework FortiCNAPP Protect | Fortinet Community

  • FortiGuard Incident Response: Organizations that suspect exposure to the compromised axios npm package (1.14.1, 0.30.4) should engage FortiGuard Incident Response for rapid investigation, containment, and recovery. FortiGuard IR provides expert-led analysis to identify affected systems and remove malicious dependencies.

  • FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring software supply chain attacks targeting open-source ecosystems, including the axios compromise. This activity involves malicious package publication via compromised maintainer accounts, use of phantom dependencies, and post-install script execution to deploy cross-platform RAT payloads. Ongoing tracking includes malicious package versions, dependency abuse techniques, command-and-control infrastructure, and downstream impact across developer and enterprise environments. Intelligence updates, IOCs, and mitigation guidance will be continuously refined as additional data becomes available.

  • FortiGuard Antivirus & Behavior Detection: FortiGuard provides detection coverage for RAT payloads and malicious post-install behaviors associated with compromised npm packages.

What is the Attack?

Researchers from Google Threat Intelligence Group identified DarkSword, a sophisticated full-chain iOS exploit framework actively used by multiple surveillance vendors and suspected state-sponsored actors. Observed since at least November 2025, the exploit has been deployed in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, enabling silent compromise of iOS devices and delivery of post-exploitation malware.

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve:
Remote Code Execution (RCE)
Sandbox Escape
Kernel-Level Privilege Escalation

Campaign-Specific Tradecraft:
Saudi Arabia: Fake Snapchat lookalike used as a social engineering lure
Ukraine: Compromise of at least two local websites, including a government site (watering hole attack)

Post-Exploitation Malware Families:
GHOSTBLADE: Initial-stage implant for device profiling and access validation
GHOSTKNIFE: Intermediate payload enabling data collection and command execution
GHOSTSABER: Advanced implant supporting persistent surveillance and data exfiltration

What is the recommended Mitigation?

  • Immediate Patching:
    Upgrade iOS devices beyond affected versions as security updates become available

  • Web Filtering & DNS Security:
    Block access to suspicious or newly registered domains used in exploit delivery

  • High-Risk User Protection:
    Enforce stricter controls (device hardening, limited browsing exposure) for sensitive roles

  • Threat Intelligence Integration:
    Continuously ingest indicators related to DarkSword infrastructure and malware families

What FortiGuard Coverage is available?

• FortiGuard Incident Response: Organizations that suspect compromise of iOS devices via the DarkSword exploit chain should engage FortiGuard Incident Response for rapid investigation, containment, forensic analysis, and recovery support. Focus areas include identification of exploit-triggering web activity, analysis of post-exploitation malware (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER), validation of device compromise scope, and detection of potential data exfiltration or persistent surveillance mechanisms.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring threat activity associated with DarkSword and related mobile exploitation frameworks identified by Google Threat Intelligence Group.

• FortiGuard Antivirus & Behavior Detection: Protects against post-exploitation malware families associated with DarkSword, including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Virus | FortiGuard Labs

• FortiGuard Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known DarkSword-associated indicators, including malicious domains used for exploit delivery, watering hole infrastructure, and command-and-control endpoints

What is the Attack?

A large-scale cyberattack against medical technology company Stryker resulted in widespread system outages. The attack was driven by a destructive wiper campaign attributed to Iran-linked threat actors, including the hacktivist group Handala.

Following the incident, CISA issued an alert highlighting the compromise of endpoint management infrastructure- specifically platforms such as Microsoft Intune- as a critical attack vector.

The activity underscores a shift toward targeting centralized device management systems, enabling adversaries to execute large-scale, coordinated, and destructive actions across enterprise environments.

What is the recommended Mitigation?

• Harden endpoint management configurations (Intune and equivalents).
• Enforce MFA and strong identity controls for admin access.
• Restrict and monitor privileged device management actions.
• Apply Microsoft hardening guidance and security baselines.
• Audit device enrollment and policy deployment mechanisms.

What FortiGuard Coverage is available?

• FortiGuard Incident Response: Organizations that suspect compromise of endpoint management infrastructure (e.g., Microsoft Intune or equivalent platforms) should engage FortiGuard Incident Response for rapid investigation, containment, forensic analysis, and recovery support. Focus areas include privileged account abuse, unauthorized policy deployment, and potential destructive actions across managed endpoints.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring ongoing threat activity involving the targeting of endpoint management systems and associated destructive campaigns. This includes tracking Iran-linked actor activity (e.g., Handala), evolving wiper malware techniques, and abuse of centralized device management platforms. Continuous intelligence updates, indicators of compromise (IOCs), and mitigation guidance will be provided as new information emerges.

• FortiGuard Antivirus & Behavior Detection: Provides protection against known malware and destructive tooling, including wiper malware and post-compromise payloads. Advanced behavioral detection identifies abnormal endpoint management actions, privilege misuse, and mass-impact operations, enabling early detection and prevention of large-scale device disruption.

What are the Vulnerabilities?

Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is an unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Successful exploitation could result in unauthenticated remote code execution and CVE-2025-0283 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges.

According to a blog released by Mandiant, it has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog

In light of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025.

Microsoft Threat Intelligence Center reported In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282).
Silk Typhoon targeting IT supply chain | Microsoft Security Blog

What is the recommended Mitigation?

What FortiGuard Coverage is available?

  • FortiGuard Labs recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory.

  • FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign targeting the Ivanti vulnerability.

  • FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the (CVE-2025-0282), Buffer Overflow vulnerability in Ivanti Connect Secure. Intrusion Prevention | FortiGuard Labs.

  • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?

The attack involves the threat cluster UNC6201 (a suspected China-nexus Advanced Persistent Threat (APT)) actively exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines platform. The flaw (CVE-2026-22769) stems from hard-coded credentials embedded within the appliance, allowing unauthenticated remote attackers to gain administrative access. Because RecoverPoint is a disaster recovery and backup solution, successful exploitation gives attackers high-value access to core infrastructure systems that often sit deep inside enterprise networks.

Once access is obtained, the attackers deploy web shells and custom backdoors to establish persistent control. According to reporting from Google Threat Intelligence Group, the campaign evolved from earlier BRICKSTORM malware to a newer backdoor called GRIMBOLT, indicating ongoing development and operational maturity.

Because it is actively exploited in the wild and affects critical enterprise infrastructure, it represents a significant operational risk for organizations running vulnerable versions of RecoverPoint.

What is the recommended Mitigation?

• Immediately upgrade vulnerable instances of Dell RecoverPoint for Virtual Machines to the fixed release. Dell has released remediations for CVE-2026-22769, and customers are urged to follow the guidance in the official Security Advisory. DSA-2026-079: Security Update for RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability | Dell US
• Restrict the network exposure of RecoverPoint appliances. Ensure the management interface is not internet-facing.
• Conduct post-exploitation validation and threat hunting. Review appliance logs for unusual authentication activity.

What FortiGuard Coverage is available?

• FortiGuard Labs is actively monitoring exploitation activity associated with the UNC6201 campaign targeting Dell RecoverPoint for VM. The team continues to track evolving attacker infrastructure, tooling, and tactics, and will provide ongoing intelligence updates, newly identified indicators, and protection guidance as the situation develops.

• FortiGuard Antivirus & Behavior Detection protects against known malware families associated with this activity and leverages advanced behavioral analysis to detect and block previously unseen variants, including web shells and custom backdoors deployed post-exploitation.

• Indicators of Compromise (IOC) Service: FortiGuard Labs has implemented protections to block all currently known malicious indicators linked to this campaign. Continuous monitoring ensures the rapid addition of newly discovered hashes, domains, IP addresses, and behavioral artifacts.

• FortiGuard Incident Response: Organizations that suspect compromise can engage the FortiGuard Incident Response team for rapid investigation, containment, forensic analysis, and remediation support to minimize operational and security impact.

What is the Vulnerability?

A Local File Inclusion (LFI) vulnerability (CVE-2025-68645) exists in the Zimbra Collaboration Suite (ZCS) Webmail Classic UI due to improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft malicious requests, potentially exposing sensitive configuration and application data and aiding further compromise.

Successful exploitation may allow threat actors to:
• Leak sensitive files from the system WebRoot directory
• Gain reconnaissance and foothold inside the targeted environment.
• Potentially leverage exposed information for further exploitation or escalation.
• A public proof-of-concept exploit is available, and active exploitation has been observed.

What is the recommended Mitigation?

• Apply vendor patches immediately for all affected ZCS versions (Zimbra Collaboration (ZCS) 10.0 – 10.0.17- Zimbra Collaboration (ZCS) 10.1.0 – 10.1.12), and Fixed versions are 10.0.18 and 10.1.13.
• Restrict access to Zimbra Webmail interfaces from untrusted networks.
• Hunt for anomalous file inclusion requests and unauthorized file access patterns.

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-68645. Intrusion Prevention | FortiGuard Labs
• FortiGuard Antivirus & Behavior Detection: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
• Indicators of Compromise (IOCs) Service: The FortiGuard team is continuously monitoring for emerging threats and new IOCs.
• FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

اطلاعات تماس

تهران، پاسداران، روبروی گلستان هشتم، پلاک 394 واحد 5+98 21 72983000info@partian.co

محصولات

سیبتافورتی گیتفورتی وبفورتی آنالیزرفورتی میل

دسترسی سریع

راهکارهاخدماتدانلوددانشنامهدرباره ما
پارتیان

در شبکه های اجتماعی به ما بپیوندید

تمام حقوق مادی و معنوی این سایت متعلق به شرکت پارتیان ابتکار پایدار می‌باشد.

طراحی سایت : رادکام