The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warn advanced persistent threat (APT) groups are exploiting three vulnerabilities in the Fortinet SSL VPN to access the victim’s networks and then move laterally and carry out recon.
According to an alert issued Friday by the FBI and CISA, attackers are carried out by nation-state actors. The FBI and CISA didn’t specify what APTs exactly are behind the recent campaigns against Fortinet VPN.
Threat actors scan devices on ports 4443, 8443, and 10443, with the goal to detect unpatched Fortinet instances. The three flaws APTs are exploiting are a path-traversal issue in Fortinet FortiOS tracked as CVE-2018-13379, a default-configuration vulnerability in FortiOS tracked as CVE-2019-5591, and an improper-authentication vulnerability in SSL VPN in FortiOS tracked as CVE-2020-12812.
“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,” the alert states. “APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.”
This last year, researchers have been detecting increasing numbers of incidents in which attackers are increasingly targeting critical external applications – VPNs, says Zach Hanley, senior red team engineer at Horizon3.AI, to ThreatPost.
He says the three critical flaws can allow attackers to steal credentials, access internal networks, and more:
“These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.”
Once in the victim’s networks, attackers would move laterally and spy on targets, according to the warning.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the warning says. “APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”
The FBI and CISA suggest a range of measures that organizations can take to thwart the attacks. Among them are patching CVEs 2018-13379, 2020-12812, and 2019-5591 flaws, adding key artifact files used by FortiOS to the execution-deny list, regularly backing up data, implementing network segmentation, requiring administrator credentials to install software, and others.