GreyNoise has discovered that attacks exploiting Cisco, Fortinet, and Palo Alto Networks vulnerabilities are launched from the same infrastructure.

The post Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign appeared first on SecurityWeek.

High-severity vulnerabilities could lead to remote code execution, privilege escalation, information disclosure, and configuration tampering.

The post Fortinet, Ivanti, Nvidia Release Security Updates appeared first on SecurityWeek.

A globally coordinated operation involving support from 18 countries in Africa, the United Kingdom and nine security organizations resulted in the arrest of 1,209 alleged cybercriminals, Interpol said Friday.

Authorities said they recovered $97.4 million and dismantled 11,432 pieces of malicious infrastructure between June and August. Financial losses attributed to the crimes allegedly committed by people involved in this widespread string of ransomware, online scams and business email compromise neared $485 million, officials said.

Operation Serengeti 2.0 identified 87,858 victims from multiple criminal syndicates and operations spanning Africa. Authorities in Zambia took down an online investment fraud scheme that impacted at least 65,000 victims who lost an estimated $300 million combined.

In Angola, authorities dismantled 25 cryptocurrency mining centers where 60 Chinese nationals were allegedly validating blockchain transactions to generate cryptocurrency. Officials said they confiscated 45 illegal power stations, mining and IT equipment valued at more than $37 million, which the government has earmarked to support power distribution in vulnerable areas. 

TRM Labs, one of the private organizations that supported the crackdown, shared details about ransomware-related operations impacted by the law enforcement action.

“In Ghana, investigators pursued leads tied to the Bl00dy ransomware group, a Conti spin-off that has targeted education, healthcare, and public sector victims. Analysis suggested elements of Bl00dy’s laundering infrastructure were active in the country,” the company said in a LinkedIn post. 

Investigators in Seychelles acted on intelligence connected to RansomHub, broadening the range of targets and dismantling additional infrastructure, TRM Labs added.

Interpol said Operation Serengeti 2.0 also disrupted a suspected human trafficking network in Zambia and a transnational inheritance scam in Côte d’Ivoire that caused about $1.6 million in losses. 

“Each Interpol-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of Interpol, said in a statement. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Countries involved in the crackdown include: Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro and Uppsala Security also aided the investigation.

The post Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses appeared first on CyberScoop.

Fortinet warned customers in an advisory Tuesday of a critical vulnerability in FortiSIEM, its security information and event management software, adding that “practical exploit code” for the defect exists in the wild.

The OS command injection vulnerability, CVE-2025-25256, has an initial CVSS score of 9.8 and could allow unauthenticated attackers to escalate privileges and execute code or commands. Active exploitation hasn’t been observed. Fortinet encouraged customers on affected versions of FortiSIEM to upgrade to the latest version available, and advised customers to limit access to the phMonitor port (7900) as a workaround. 

The CVE designation and disclosure arrived on the heels of a GreyNoise threat report alerting defenders to a significant spike in brute-force traffic targeting Fortinet hardware, particularly its secure sockets layer (SSL) VPNs. GreyNoise said it observed more than 780 unique IPs attempting to brute force credentials against Fortinet SSL VPNs earlier this month. 

GreyNoise research shows notable spikes in attacker activity against edge technologies often precede the disclosure of a new CVE in the targeted technology within six weeks. The pattern occurred across 4 in 5 cases analyzed by GreyNoise overall. 

The threat intel company has specifically documented instances where spikes in malicious activity against Fortinet products correlate soon after with CVE disclosures affecting the same product.

“GreyNoise cannot confirm a direct causal link between the brute-force activity against Fortinet SSL VPNs and the disclosure of CVE-2025-25256 affecting FortiSIEM,” Noah Stone, head of content at GreyNoise Intelligence, told CyberScoop. “While the close timing between this spike and the CVE-2025-25256 disclosure is notable, it does not prove the two events are related.”

During the period of heightened activity earlier this month, “the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” Stone said in a blog post. “This was not opportunistic — it was focused activity.”

GreyNoise has observed 55 malicious IPs targeting Fortinet SSL VPNs in the past day. While researchers aren’t currently aware of exploitation, the presence of exploit code suggests that could change soon.

“The public release of practical exploit code typically accelerates exploitation in the wild, as it lowers the barrier for less sophisticated attackers,” Stone said.

Fortinet did not provide any details about the nature of the exploit code, or when and how it became aware of the vulnerability. Yet, in its advisory, the security vendor noted: “the exploitation code does not appear to produce distinctive indicators of compromise.”

Defects in Fortinet products pose a persistent risk for defenders and a recurring pathway for attackers to break into victim networks. The cybersecurity vendor did not respond to a request for comment.

The Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog contains 20 Fortinet defects dating back to 2021, including five so far this year. The majority of those flaws, including three added this year, have been used in ransomware attacks, according to CISA. 

Edge technologies, including VPNs, firewalls and routers, harbored the four most frequently exploited vulnerabilities in 2024, according to Mandiant’s M-Trends report released earlier this year. 

One of those defects, a SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server — CVE-2023-48788 — was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year. 

Researchers at Darktrace said another Fortinet vulnerability — CVE-2024-47575, a defect affecting Fortinet’s network management tool — was among the six-most commonly exploited vulnerabilities it observed last year.

The post Fortinet SIEM issue coincides with spike in brute-force traffic against company’s SSL VPNs appeared first on CyberScoop.