Executive Summary

In the rapidly evolving digital landscape, media companies are increasingly vulnerable to sophisticated cyberattacks. These organizations, with their vast digital assets and high-profile operations, are prime targets for cybercriminals. This report delves into the specific vulnerabilities and threats facing media companies, highlighting recent cyberattacks, exploitation tactics, and mitigation strategies. It draws on data from Fortinet and other industry sources to provide a comprehensive overview of the cybersecurity challenges in the media sector.

Technical Information

Media companies are custodians of valuable intellectual property, including unreleased films, scripts, and other digital content. This makes them attractive targets for cybercriminals who employ tactics such as ransomware to lock access to these assets, demanding payment for their release. The reliance on suspense and timing for content releases further exacerbates the impact of such attacks. Additionally, many media companies operate with outdated software and insufficient authentication practices, creating vulnerabilities that cybercriminals can exploit to gain unauthorized access to sensitive systems.

The significant budgets involved in media production also attract cybercriminals seeking to steal financial data or disrupt operations for ransom. The digital distribution of media content increases the attack surface, providing more opportunities for cybercriminals to inject malware into distribution channels. Recent high-profile cyberattacks on media companies underscore the severity of these threats. For instance, in September 2023, hackers stole personally identifiable information of 10.6 million MGM Resorts customers, resulting in a $100 million financial impact. Similarly, a massive data breach in October 2023 exposed nearly 36 million Xfinity accounts, facilitated by exploiting a vulnerability in Citrix software.

Advanced Persistent Threat (APT) groups, such as the Cl0p ransomware group, have been known to target media companies using sophisticated techniques like exploiting large file transfer systems. These groups often have ties to nation-state actors, increasing the complexity and severity of attacks. Common tactics, techniques, and procedures (TTPs) include spear-phishing, supply chain attacks, and exploiting zero-day vulnerabilities. The "HTTP/2 Rapid Reset" vulnerability, identified by Cloudflare, exemplifies the type of zero-day exploits used in large-scale attacks.

A critical vulnerability, CVE-2024-23113, affects FortiOS, FortiPAM, FortiProxy, and FortiWeb, allowing remote code execution. This vulnerability is actively exploited in the wild, and organizations are urged to apply vendor-provided mitigations promptly. The exploitation of such vulnerabilities can lead to unauthorized access, data breaches, and significant financial losses.

Exploitation in the Wild

The exploitation of vulnerabilities in media companies is not just theoretical; it is happening in real-time. Specific usage of vulnerabilities like CVE-2024-23113 has been observed, with attackers leveraging these weaknesses to execute remote code and gain control over critical systems. Indicators of Compromise (IOCs) include unusual network traffic patterns, unauthorized access attempts, and the presence of known malware signatures. The exploitation of the Citrix vulnerability in the Comcast breach is a prime example of how attackers can infiltrate systems through third-party software vulnerabilities.

APT Groups using this vulnerability

APT groups, particularly those with ties to nation-state actors, are actively exploiting vulnerabilities in media companies. The Cl0p ransomware group is one such entity, known for its sophisticated attacks on large file transfer systems. These groups target media companies in various sectors and countries, including the United States and Europe, aiming to steal intellectual property, disrupt operations, and demand ransoms.

Affected Product Versions

The critical vulnerability CVE-2024-23113 affects several Fortinet products, including FortiOS, FortiPAM, FortiProxy, and FortiWeb. Specific versions impacted include FortiOS versions 6.4.0 to 6.4.9, FortiPAM versions 1.0.0 to 1.0.3, FortiProxy versions 7.0.0 to 7.0.5, and FortiWeb versions 6.3.0 to 6.3.15. Organizations using these products should prioritize applying the latest patches and updates provided by Fortinet.

Workaround and Mitigation

To mitigate the risks associated with these vulnerabilities, media companies should implement several key strategies. Data encryption is essential to prevent unauthorized access and data breaches. Implementing minimal access privilege ensures that only necessary personnel have access to sensitive areas of the network. Strengthening authentication practices with multi-factor authentication (MFA) can deter opportunistic attackers. Regular penetration testing and patching are crucial to identify and address vulnerabilities promptly. Securing all endpoints and implementing zero-trust principles can prevent unauthorized access to the network. Finally, systematic security training for staff on cybersecurity best practices can reduce the risk of human error leading to breaches.

References

For further reading and detailed information, please refer to the following sources: Fortinet's analysis on Cyberattacks on Media Companies and Cybersecurity Measures (https://www.fortinet.com/solutions/industries/media-entertainment/cyberattacks-on-media-companies), SecurityWeek's report on Organizations Warned of Exploited Fortinet FortiOS Vulnerability (https://www.securityweek.com/organizations-warned-of-exploited-fortinet-fortios-vulnerability/), and The Hacker News article on CISA Warns of Critical Fortinet Flaw (https://thehackernews.com/2024/10/cisa-warns-of-critical-fortinet-flaw-as.html).

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate cybersecurity risks. We are here to support you in safeguarding your digital assets and maintaining operational integrity. If you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.