Cyber Threats

Critical Fortinet Vulnerabilities Exploited by the Qilin Ransomware Group

By Daniel Lopez

The Qilin ransomware group has been noticed exploiting two critical vulnerabilities present in FortiOS/FortiProxy equipment. Although the group seems to be focusing on countries with Spanish language, it is likely that attacks exploiting these vulnerabilities will spread to other countries. The Qilin ransomware-as-a-service (RaaS) operation appeared in August 2022, known first as Agenda. Although it is not a high profile ransomware group, Qilin is known to have been behind over 300 attacks, which include attacks on healthcare organizations and healthcare sector vendors.

The latest victims of the Qilin ransomware group in healthcare industry include Next Step Healthcare in Massachusetts, The Health Trust in California, and Central Texas Pediatric Orthopedics. The ransomware group was responsible for the massively disruptive attack on Synnovis, the UK NHS pathology services vendor, in 2024. Synnovis has not yet fully recovered from the cyberattack. The Health Sector Cybersecurity Coordination Center (HC3) released a threat profile regarding the Qilin ransomware group in June 2024 because of the risk on the U.S. Healthcare and Public Health Sector.

PRODAFT, a threat intelligence organization in The Hague in the Netherlands, lately noticed Qilin taking advantage of two Fortinet vulnerabilities: the critical authentication bypass vulnerability CVE-2024-55591 and the critical out-of-bounds write vulnerability CVE-2024-21762. The two vulnerabilites impact FortiProxy SSL-VPN and FortiOS devices. Vulnerability CVE-2024-55591 can be used to get super-admin privileges, while vulnerability CVE-2024-21762 can be used to remotely implement arbitrary code or commands.

As per PRODAFT, Qilin was responsible for an organized attack targeting several organizations, which took advantage of the vulnerabilities in FortiGate firewalls. Although the campaign targeted Spanish-speaking organizations, PRODAFT stated that the campaign will likely spread worldwide. PRODAFT mentioned that Qilin attacks are entirely automated except for the selection of victims, which is done manually.

Considering that Qilin has attacked healthcare companies in past times, and other ransomware groups have exploited these Fortinet vulnerabilities, HIPAA-covered healthcare providers should make sure to remediate these vulnerabilities.

Image credit: piter2121, AdobeStock

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

No related posts.

HealthEC Agrees to $5.48 Million Settlement to End Data Breach Lawsuit

Insurance industry targeted by Cyberattacks and Data Breaches