Threat Intel: ATP27, FRP, TTNG, and More…

4/29/24 2:22 PM  |  by RedLegg's Cyber Threat Intelligence Team



This report serves as a comprehensive resource, offering insights into what our team considered the most pressing cybersecurity concerns for our clients in March of 2024. We encourage our readers to stay informed and take proactive measures to minimize the attack surface of their organizations.

Our dedicated cyberfusion threat intelligence team closely monitors various sources, including public reporting, vendor advisories, and industry intelligence, to identify and prioritize potential risks. We have assessed and profiled several notable threats, including APT27, TinyTurla-NG, and the Fast Reverse Proxy (FRP) tool, which has been observed in attacks by advanced persistent threats (APTs) such as APT27 and Volt Typhoon.

Additionally, we have closely evaluated recent security updates and vulnerabilities disclosed by major software vendors, including Microsoft and Fortinet. Our analysis encompasses critical vulnerabilities that could potentially lead to remote code execution, privilege escalation, and unauthorized access if left unpatched.

Staying vigilant and proactive is essential. By continuously monitoring and analyzing emerging threats, vulnerabilities, and attack vectors, we aim to provide our clients with actionable intelligence, enabling them to fortify their defenses and mitigate potential risks effectively.



This month CTI prioritized 2 net-new threats as candidates for threat profiling. The following threats have been prioritized as a proactive response to the latest customer RFI inquiries, and attack tools that were observed being leveraged by attackers in recent public reporting that could potentially impact RedLegg customers.

            1. APT27 – RedLegg CTI Threat Score – 6 (Normal)

              APT27 was prioritized in response to a Request for Information (RFI) inquiry from an external RedLegg customer. Additional information can be found in the Request for Information (RFI) Summary Section. (See ‘RFI24-012 – APT27’ for details.)

  1. TinyTurla-NG – RedLegg CTI Threat Score – 3 (Low)

    TinyTurla-NG was prioritized as a response to public reporting released from Cisco Talos’ regarding techniques observed following TinyTurla-NG’s (TTNG’s) post-compromise activity.

    Net-new prioritized threats = 2

CTI has resumed production of threat profiles, and have also identified the latest threat for profiling, Fast Reverse Proxy (FRP). This latest threat has now entered the collection phase of the CTI lifecycle.

Fast Reserve Proxy (FRP) – RedLegg CTI Threat Score – 7 (High)

Fast Reverse Proxy (FRP) is tool that is used to establish command and control (C2) communications with remote endpoints via reverse proxy.
FRP has been observed being leveraged in attacks by advanced persistent threats such as APT27 (i.e. attached to RFI24-012) and Volt Typhoon (i.e. previously released threat profile – September 2023) for command and control.

Status = Active (Collection Phase)

CTI Reflection: As of March 2024, RedLegg CTI has prioritized and evaluated a total of 111 threats since integrating the threat prioritization process into the RedLegg CTI program back in June of 2023.

Interested in more Threat Profiles?
Check out our report on Silk Typhoon:


Fortinet PSIRT Security Updates

Cyber adversaries have a long-standing history of leveraging vulnerabilities in public facing applications (T1190), such as FortiGate network appliances for initial access and in rare instances – supply chain compromise. RedLegg CTI will continuously evaluate and prioritize software vulnerabilities that are among this unique category of threats. This month CTI evaluated multiple vulnerabilities affecting Fortinet devices.

While gathering and analyzing public reporting, CTI became aware of FortiGuard Labs’ latest PSIRT concerning security updates for multiple Fortinet products. See below for details:


In response to Fortinet’s security updates, On March 12, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) published a Cybersecurity Advisory Alert, further emphasizing Fortinet’s initial PSIRT advisory. Fortinet’s advisory addressed multiple vulnerabilities with severity scores ranging from critical to medium. Along with impact ratings that include execution of unauthorized code/commands, improper access control, and privilege elevation.

While CTI opted to not publish an Emergency Security Bulletin following our analysis, we engaged with our internal IT team to ensure RedLegg internal inventory was not compromised.

For more high-level information regarding the vulnerabilities included in Fortinet’s PSIRT advisory see the ‘Emergency Security Bulletin’ sub-section.


Microsoft Patch Tuesday Critical Security Bulletin

On March 12, 2024, the Microsoft Security Response Center (MSRC) released their latest security updates, which addressed 61 software vulnerabilities for the March 2024 Microsoft Patch Tuesday Security Update. Among the 61 software vulnerabilities, the ‘Elevation of Privilege’ vulnerability type accounted for the most occurrences between the eight types of vulnerabilities disclosed in the security update.

CTI Brief 4-24_F1-T1

In response to the MSRC’s monthly update RedLegg CTI published a Critical Security Bulletin which included a concentrated list of vulnerabilities we believe to be the most concerning. While none of the vulnerabilities included in the MSRC’s update were reported as having been exploited in the wild, quite of few of the vulnerabilities impacted services and products that are likely utilized by a considerable number of Microsoft and RedLegg customers. These vulnerabilities are outlined here:

Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

CVE-2024-21334 – CVSS Score 9.8 (CRITICAL)

CWE-416: Use After Free

Possible exploitation of this vulnerability is bound to the network stack and does not require user interaction for success.

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVE-2024-21400 – CVSS Score 9.0 (CRITICAL)

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

This vulnerability is associated with a ‘High’ attack complexity and is bound to the network stack for possibility exploitation.

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2024-26198 – CVSS Score 8.8 (HIGH)

CWE-426: Untrusted Search Path

Exploitation of this vulnerability is achieved using social engineering tactics and is bound to the network stack.

Microsoft Office Elevation of Privilege Vulnerability

CVE-2024-26199 – CVSS Score 7.8 (HIGH)

CWE-59: Improper Link Resolution Before File Access ('Link Following')

Exploitation of this vulnerability is achieved via local access and does not require user interaction for success.

Critical Security Vulnerabilities Bulletin

Emergency Security Bulletin

On March 12, 2024, FortiGuard Labs released three separate PSIRT Advisories, which provided  patch  updates  that  addressed  multiple vulnerabilities  impacting  their FortiOS and FortiProxy products.

FG-IR-23-328: Out-of-bounds Write in captive portal

▪   Successful exploitation of the associated vulnerabilities could allow an adversary to execute arbitrary code via tailored HTTP requests.
▪  Affected products: FortiOS and FortiProxy
▪  CVE-2023-42789 – CVSS Score 9.8 (CRITICAL)
▪  CVE-2023-42790 – CVSS Score 8.1 (HIGH)

FG-IR-24-013:  Authorization bypass in SSLVPN bookmarks

▪   The exploitation of this vulnerability could provide an adversary with improper access using URL manipulation.
▪  Affected products: FortiOS and FortiProxy
▪  CVE-2024-23112 – CVSS Score 7.2 (HIGH)

FG-IR-23-424: Improper authentication following read-only user login

▪   This vulnerability could allow an adversary to elevate privileges from read-only permissions to read-write access.
▪  Affected products: FortiOS
▪  CVE-2023-46717 – CVSS Score 6.7 (Medium)

RedLegg CTI Outcome: While the affected products impacted public facing applications, FortiGuard Labs’ PSIRT Advisory included mitigation recommendations, workarounds, patch updates, and none of the released vulnerabilities had been reported as being exploited in the wild. The evaluation of each of these vulnerabilities ultimately led to CTI denying the production of an associated ‘Emergency Security Bulletin.

Get Blog Updates

Related Articles

Summoning Cyber Awareness: Exorcising the Malevolent Realm of Remote Monitoring and Management Tools threat intel, 96bravo

Summoning Cyber Awareness: Exorcising the Malevolent Realm of Remote Monitoring and Management Tools

EXECUTIVE SUMMARY RedLegg would like to recognize the efforts instituted by the Cybersecurity & Infrastructure ...
Critical Security Vulnerabilities Bulletin