Today I had the pleasure of presenting my research at #BHEU, and I am now very excited to share it with the rest of the world. TL;DR - unauthenticated attackers can spoof sensitive DNS records by abusing Microsoft DHCP. @akamai_research.1/7

RT @akamai_research: This is a wild one. 🏜️. The Coyote malware is now abusing UI Automation (UIA) - marking the first known case of UIA ab….

11/.For more technical details on this CVE and additional VPN post-exploitation techniques check out my Black Hat talk and blog post:

10/.I reported this issue to Fortinet last year, but they did not consider it as a vulnerability and currently have no plans to address it. So what can you do?. - Assume your VPN may eventually be breached.- Act accordingly by not storing *any* valuable credentials on it.

9/.This is likely part of what CISA is seeing in the wild. Credential theft from compromised Fortinet gear, followed by lateral movement (likely into AD). This exact behavior was detailed by Mandiant in a report covering Ivanti VPN exploitation:

8/.So even after the "fix", if an attacker compromises your Fortinet appliance, they can always:.✅ Disable the custom key.✅ Dump the config.✅ Decrypt all stored secrets.✅ Move laterally to additional services.

7/.While this protects exported config files—there’s still a big flaw:. If an attacker gains access to the device, they can. disable the custom key setting. This *reverts everything back to using the hardcoded key*. And. it doesn't require knowledge of the custom key.

6/.Now, Fortinet did try to fix this. They added an option to use a custom encryption key instead of the default one. Sounds good, right?. Well, not really.

5/.In both cases, the attacker can decrypt the secrets and pivot to whatever services are stored in the config:. ➡️ Active Directory.➡️ Cloud services.➡️ Kubernetes clusters.…and more. (A list of supported Fortinet integrations below)

4/.Scenario 2:.🖥️ The attacker compromises the Fortinet device itself (via stolen credentials or an exploit) and extracts the config.

3/.The original vulnerability could be exploited in two scenarios:. Scenario 1:.📁 An attacker finds an exported config file—left exposed somewhere (e.g. old backups, shared folders, etc.).

2/.The CVE TL;DR:.Fortinet encrypts stored secrets (such as local users, AD users used for LDAP integration, etc.) in exported config files using a *hardcoded* encryption key - and a weak one at that. The real problem?.The CVE was never properly fixed.

1/.🚨 CISA just added CVE-2019-6693 to their Known Exploited Vulnerabilities (KEV) catalog. This is a serious flaw in Fortinet appliances - *which was never fully fixed*. A quick breakdown 🧵.

RT @akamai_research: If you can't beat them, ban them 😏 . Malicious Cryptominers can be tough to dismantle - but we found a way. 👀 By explo….

RT @OutflankNL: Here's our new blog on hiding your implant in VTL1, where even an EDR's kernel sensor can't see it.🧑‍🦯. Post includes full….

RT @YuG0rd: Many missed this on #BadSuccessor: it’s also a credential dumper. I wrote a simple PowerShell script that uses Rubeus to dump….

RT @YuG0rd: @aniqfakhrul You can actually target krbtgt and get its keys, no need for DCSync.

RT @0xTriboulet: Microsoft, and other software vendors, have demonstrated time and again that security will always come second. I agree tha….

RT @YuG0rd: We've heard feedback suggesting we should have waited to release details about BadSuccessor until Microsoft issued a patch. We….

RT @akamai_research: Today we unveil BadSuccessor - a new no-fix Active Directory privilege escalation technique. We will explore the rece….

Amazing research by Yuval! .A privilege escalation technique in Active Directory that allows weak users to compromise ANY user in the domain. Microsoft considers this issue to be a moderate severity vulnerability, and don't currently plan to fix it. We'll let you be the judge🤷‍♂️.