Great Lakes IT Services

04/15/2026

THREAT BRIEF (HIGH): Adobe Acrobat Zero-Day Exploited in the Wild
Apr 15, 2026

What is the situation?
Adobe has released an emergency security update for Acrobat and Reader to address CVE-2026-34621, a vulnerability that has been actively exploited in zero-day attacks since at least December.
The vulnerability allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, enabling arbitrary code ex*****on and file theft, with no user interaction required beyond simply opening the PDF.
The exploit specifically abuses APIs like util.readFileIntoStream() to read local files and RSS.addFeed() to exfiltrate data and pull in additional attacker-controlled code.
Attacks observed in the wild used Russian-language documents with oil and gas industry lures as the delivery mechanism.
What is PDI doing?
PDI applies patches when released, in accordance with vendor recommendations, and actively threat hunts for indications of compromise within managed client environments.
What should I do?
Users running Acrobat DC or Reader DC version 26.001.21367 or earlier, or Acrobat 2024 version 24.001.30356 or earlier, should update immediately via Help > Check for Updates.
No workarounds or mitigations exist as applying the security update is the only recommended course of action. Users should in general only open attachments from expected sources and avoid interacting with unknown entities.

05/28/2025

THREAT BRIEF (HIGH): FBI Warns of Silent Ransom Group Targeting Law Firms for Data Theft and Extortion
May 27, 2025

What is the situation?
The Federal Bureau of Investigation (FBI) has issued a warning regarding the Silent Ransom Group (SRG) targeting law firms using information technology (IT)-themed social engineering calls and callback phishing emails to gain remote access to systems or devices and steal sensitive legal data.
SRG, also known as Luna Moth, Chatty Spider, and UNC3753, originated from the now-defunct Conti ransomware syndicate and has evolved into a standalone threat actor specializing in data theft and extortion. Since early 2023, the group has historically targeted companies in various sectors. However, in recent months, there has been a notable shift in focus towards US-based law firms, likely due to the highly sensitive nature of legal industry data.
Following the theft of data, SRG issues ransom notes demanding payment to prevent the release or sale of stolen information. In some cases, they even make follow-up phone calls to apply pressure on companies, attempting to coerce them into negotiations.
What should I do?
Organizations are advised to implement basic cybersecurity hygiene to defend against these advanced threats.
• Use strong, unique passwords
• Enable multi-factor authentication (MFA)
• Educate staff regarding social engineering attacks and phishing simulations through awareness training and simulations
• Conduct regular data backups and system audits
Additionally, organizations are urged to monitor unauthorized remote access tools, regularly scan for unusual outbound data flows, and report any suspected phishing or social engineering attacks to authorities.

10/11/2024

THREAT BRIEF (HIGH): CISA Warns of Attacks Exploiting Critical Fortinet RCE Vulnerability
Oct 11, 2024
What is the situation?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical FortiOS remote code ex*****on (RCE) vulnerability being actively exploited in the wild. The vulnerability, announced in February and tracked as CVE-2024-23113 (CVSS score: 9.8), relates to cases of remote code ex*****on that affect FortiOS, FortiPAM, FortiProxy and FortiWeb. Affected versions are FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4.
In response, CISA has added the vulnerability to its Known Exploited Vulnerability Catalog, which now orders U.S. federal agencies to secure their devices within three weeks of the addition per the binding operational directive (BOD 22-01) issued in November 2021.
CVE-2024-23113 affects the FortiOS fgfmd daemon, which could allow remote attackers to execute code and commands via specially crafted packets. Fortinet initially stated that it was not aware of attacks in the wild exploiting the vulnerability. However, CISA has confirmed that this vulnerability is actively exploited in the wild.
Currently, there is limited information provided on CISA’s advisory. It is unclear what type of attacks were committed or who may have been responsible for the activity.

What should I do?
Fortinet has already released patches to address CVE-2024-23113. Organizations managing their own Fortinet devices are strongly urged to upgrade their systems to the latest versions to reduce their exposure to cyberattacks and decrease the risk of compromise.
In addition to applying patches, administrators should consider implementing network segmentation and access controls to limit potential attack vectors. Removing fgfm access to all interfaces can serve as a temporary mitigation measure until patches are applied.

Call now to connect with business.

01/31/2024

THREAT BRIEF (HIGH): New Ivanti Connect Secure Zero-Day Exploited by Threat Actors
Jan 31, 2024

What is the situation?
Ivanti has issued a warning about two new vulnerabilities affecting products: Connect Secure, Policy Secure and ZTA gateways. One of these vulnerabilities, identified as CVE-2024-21893, is a zero-day flaw that is being actively exploited. This vulnerability is a server-side request forgery issue in the SAML component of the gateways, allowing attackers to bypass authentication and access restricted areas on affected devices. The second vulnerability, CVE-2024-21888, involves the gateways' web component and permits attackers to escalate privileges to an administrator level.
Additionally, Ivanti has released patches for two previously disclosed zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) that have been used in attacks since January 11 to deploy malware on vulnerable devices. Over 460 compromised Ivanti VPN devices were discovered on January 30 alone, and the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive (ED 24-01) to address these issues due to their widespread exploitation.
Victims of these vulnerabilities include a range of organizations, from government and military entities to companies in banking, finance, telecommunications, aerospace and technology, of varying sizes, including Fortune 500 companies.

What should I do?
Organizations using Ivanti Connect Secure, Policy Secure and ZTA gateways should take the following actions:
• Immediately Apply Patches: Ivanti has released security patches for some affected ZTA and Connect Secure versions. Ensure these patches are applied promptly in accordance with their advisory.
• Implement CISA’s Emergency Directive: To mitigate the identified vulnerabilities, federal agencies must comply with CISA's emergency directive ED 24-01.

02/10/2023

Even though Microsoft won't admit it, the "News and Interests" widget has a memory leak and runs your disk usage up to100% . Turn it OFF! See the attached:

Is your task manager showing news and interests taking up memory? In this tutorial, we are going to learn how to fix news and interests taking up memory in Windows 10.

01/13/2023

https://buffalo.craigslist.org/tch/d/orchard-park-it-support/7578028088.html

We are seeking a Technical Support Specialist to join our team! We are an established MSP in WNY! Responsibilities: Provide technical assistance with computer hardware and software Resolve issues...

09/22/2021

A new SATNews story has been added to the feed.

CISA Advisory released for NETGEAR RCE Vulnerability

*** Executive Summary ***

NETGEAR has released security updates to address a remote code ex*****on vulnerability (CVE-2021-40847) in multiple NETGEAR routers. A remote attacker could exploit this vulnerability to take control of an affected system. With the increase of remote work and the commonality of NETGEAR products in homes, organizations should encourage their remote workers who own NETGEAR routers to upgrade to the latest firmware.

NETGEAR's Security advisory with effected product models and Firmware upgrades can be found here: https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204

*** Recommendations ***

- Organizations with remote workers should encourage their users to upgrade their NETGEAR devices to the latest firmware version mitigating the remote code ex*****on vulnerability.

To download the latest firmware for your NETGEAR product:

1) Visit NETGEAR Support. https://www.netgear.com/support/
2) Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. (If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.)
3) Click Downloads.
4) Under Current Versions, select the first download whose title begins with Firmware Version.
5) Click Release Notes.
6) Follow the instructions in the firmware release notes to download and install the new firmware

NOTE: Often firmware upgrades require the rebooting of the device and will likely cause a network interruption.

Support | NETGEAR

09/10/2021

Over 500,000 Fortinet VPN Credentials Leaked on Dark Web

*** Executive Summary ***

A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer.
While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid.
This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks.

The vulnerability exploited to harvest the credentials was identified to CVE-2018-13379 which details have been previously released on past SATNews and by CISA as a major threat.

The vulnerability affects the following products:

FortiOS 6.0 - 6.0.0 to 6.0.4
FortiOS 5.6 - 5.6.3 to 5.6.7
FortiOS 5.4 - 5.4.6 to 5.4.12
(other branches and versions than above are not impacted) ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Nuspire has previously audited all managed devices and upgraded firmware to mitigate against this vulnerability when the vulnerability was first discovered. As of writing Nuspire has no indications of any exposure when these credentials were harvested.

*** Recommendations ***

- For organizations managing their own FortiGate, verify firmware has been upgraded to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
- The Security advisory for this CVE can be found here: https://www.fortiguard.com/psirt/FG-IR-18-384
- If you are on an affected version, assume all VPN credentials have been compromised and force a password reset.

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

08/27/2021

A new SATNews story has been added to the feed.

New Microsoft Azure Cosmos Database vulnerability patched

*** Executive Summary ***

Microsoft has warned thousands of its Azure cloud computing customers, including many Fortune 500 companies, about a vulnerability that left their data completely exposed for the last two years. A flaw in Microsoft's Azure Cosmos DB database product left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

Despite the severity and risk presented, Microsoft hasn't seen any evidence of the vulnerability leading to illicit data access.

The security researchers who found the issue say that the vulnerability introduced by Jupyter Notebook allowed them to gain access to the primary keys that secured the Cosmos DB databases for Microsoft customers. With said keys, they had full read / write / delete access to the data of several thousand Microsoft Azure customers.

Microsoft can't change its customers' primary access keys, which is why the company emailed Cosmos DB customers to manually change their keys in order to mitigate exposure. Additionally, Microsoft has stated they have patched the vulnerable notebook issue.

*** Recommendations ***

- Microsoft recommends that Azure Cosmos DB administrators rotate their primary keys to mitigate any potential compromise. Instructions provided by Microsoft to do so can be found here:

Learn about access control concepts in Azure Cosmos DB, including primary keys, read-only keys, users, and permissions.