Summary: Researchers uncovered operational tools and scripts tied to the KeyPlug malware from the threat group RedGolf (APT41) after a server was exposed for under 24 hours. This incident revealed advanced tactics and techniques used for cyberattacks, particularly vulnerabilities in Fortinet firewall and VPN infrastructures. The findings underscore significant security gaps and the need for robust monitoring and patch management in enterprise systems.
Affected: Fortinet systems
Keypoints :
- Exposure of a server led to the discovery of reconnaissance scripts targeting Fortinet appliances, including a specific Python script for version hash probing.
- Detected tools included a webshell (bx.php) for remote command execution and a PowerShell reverse shell (client.ps1) for post-exploitation management.
- The incident highlights weaknesses in commonly used enterprise security solutions and emphasizes the need for timely security updates and monitoring for unauthorized access attempts.