According to both agencies, APT nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS, affecting the company’s SSL VPN products.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to warn organizations and users about how hackers are exploiting critical vulnerabilities in the Fortinet FortiOS VPN.
They aim to deploy a beachhead to breach the security of medium to large-sized businesses in the future.
According to the alert issued on Friday, advanced persistent threat (APT) nation-state actors exploit known vulnerabilities in the FortiOS cybersecurity OS and target Fortinet’s SSL VPN products. However, the agencies didn’t share further details about the APT.
The FBI and the Cybersecurity and Infrastructure Security Agency warn that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products.
FortiOS SSL VPNs are used in border firewalls. These are responsible for cordoning off sensitive internal networks from other public Internet connections.
How Exploitation Works?
The FBI and CISA reported that APT threat actors scan devices on ports 4443, 8443, and 10443 to find unpatched Fortinet security implementations. Particularly of interest are the vulnerabilities classified as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812.
Such groups are known to exploit critical flaws to carry out DDoS attacks, ransomware attacks, spear-phishing campaigns, structured query language injection attacks, disinformation campaigns, website defacements, and similar other types of attacks.
About the Bugs
The CVE-2018-13379 is a path-traversal bug in Fortinet FortiOS in which the SSL VPN web portal lets an unauthorized attacker download system files through specially designed HTTP resource requests.
The CCVE-2019-5591 bug is a default configuration vulnerability allowing an unauthenticated attacker on the same subnet to capture sensitive information simply by mimicking the LDAP server.
The CVE-2020-12812 is an improper authentication flaw in the FortiOS SSL VPN that lets a user successfully login without being prompted for FortiToken (the second factor of authentication) if they change the username case.
Who’s at Risk?
The agencies’ researchers noted that APT actors could use these vulnerabilities to gain an initial foothold on government, technology, and commercial entities.
“Gaining initial access pre-positions the APT actors to conduct future attacks.” After exploiting, the attackers will move laterally and carry out surveillance on their targets.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”
Patching the bugs will require configuration changes, and the organization network must have more than one VPN device. There will be downtime, and those who need VPNs around the clock may not find it easy. However, the risk of espionage campaigns or ransomware is far greater than that.