Advanced persistent threat (APT) actors are leveraging vulnerabilities in Fortinet FortiOS in ongoing attacks targeting commercial, government, and technology services networks, according to the US government.
Following the recent release of security patches covering critical security vulnerabilities in Fortinet’s flagship FortiOS product, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory.
Threat actors have been found targeting three Fortinet FortiOS vulnerabilities in the last month, according to the two agencies: CVE-2018-13379 (a path traversal vulnerability in the FortiOS SSL VPN web portal), CVE-2020-12812 (FortiOS SSL VPN 2FA bypass), and CVE-2019-5591 (a path traversal vulnerability in the FortiOS SSL VPN web portal) (lack of LDAP server identity verification in default configuration).
To date, the observed operation has only included scanning for the FortiOS SSL VPN web portal vulnerability on ports 4443, 8443, and 10443, as well as enumeration of devices potentially vulnerable to the other two security flaws. Attacks, on the other hand, may escalate unexpectedly.
According to the advisory, “APT actors have previously exploited critical vulnerabilities to execute distributed denial-of-service (DDoS) attacks, ransomware attacks, SQL injection attacks, spearphishing operations, website defacements, and misinformation campaigns.”
The two agencies also point out that recent activity across the three Fortinet FortiOS is most likely aimed at giving threat actors access to commercial, government, and technology services organisations’ networks.
According to CISA and the FBI, “APT actors could be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors as pre-positioning for follow-on data exfiltration or data encryption attacks.”
According to the two agencies, additional CVEs and other common exploitation techniques may be used in attacks aimed at gaining access to critical infrastructure networks.
To stay secure, organisations should apply the available patches for CVE 2018-13379, CVE 2020-12812, and CVE 2019-5591 as soon as possible; back up data; implement network segmentation; restrict software installation to administrator accounts; use multi-factor authentication; disable unused ports; instal an antivirus and keep it updated; and keep the operating system up to date as we continue to learn more.