While performing routine monitoring, Cyble’s Global Sensor Intelligence (GIS) discovered a threat actor is distributing unauthorized access to several Fortinet VPNs on a Russian cybercrime forum.
When they evaluated the access, researchers realized that the attacker was trying to add a new public key to the admin user’s account. Further probe revealed that the targeted organizations used outdated FortiOS software.
This indicated the attacker was managing authentication bypass by exploiting a channel or alternate path flaw tracked as CVE-2022-40684 in FortiOS. This authentication bypass flaw lets an unauthorized/unauthenticated attacker exploits the administrative interface.
Impacted Products and Firmware Versions
According to Cyble’s research published on November 24, 2022, multiple Fortinet versions are affected by this flaw, including FortiOS, FortiProxy, and FortiSwitchManager. The vulnerability allows an attacker to perform operations on the “administrative interface” through specially created HTTPS or HTTP requests, Cyble’s advisory read.
As seen by Hackread.com, another threat actor on the same Russian hacker forum is currently offering the same Fortinet VPN exploit. In a listing published earlier today, the threat actor cited Censys’s search that showed there are over 400,000 exposed devices.
According to Cyble’s researchers, the following are the impacted versions of FortinetOS.
- FortiProxy version 7.2.0
- FortiSwitchManager version 7.2.0
- FortiSwitchManager version 7.0.0
- FortiOS version 7.0.0 through 7.0.6
- FortiOS version 7.2.0 through 7.2.1
- FortiProxy version 7.0.0 through 7.0.6
Research revealed that Fortinet software had been targeted since 17 October 2022. The attacker exploits the controlling mechanism of a function to target impacted versions of Fortinet products.
The function evaluates the affected devices’ access to another functionality called REST API. The attacker adds an SSH key to the admin account when exploiting the flaw to access SSH and invade the impacted system as admin.
To further compromise the system, the threat actor will modify the admin user’s SSH key and log in to the infected system. Then they would add new local users and update networking configurations for rerouting traffic. Next, the attacker downloads the system configuration and initiates packet captures for capturing sensitive system information.
The Dark Web Connection
According to researchers, there are over a hundred thousand internet-exposed FortiGate firewalls that are under the radar of attackers and vulnerable to the flaw. Given the sheer number of exposed products, the vulnerability was categorized as critical.
Researchers suspect that sensitive system data, configuration information, and network details might be shared over the Dark Web. That’s because the attacker can add or update a valid public SSH key to the targeted account on a system and gain full access to that system.
Moreover, the attacker may launch additional attacks against the remaining IT ecosystem of the organization after obtaining information via exploitation of this flaw. They are distributing initial access over the Dark Web, which has been used in several high-profile attacks lately.