Three FortiOS Vulnerabilities Being Exploited for the Campaign
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI warn that unidentified nation-state actors are scanning for three vulnerabilities in Fortinet’s operating system, FortiOS, to likely target government and private sector companies for cyberespionage.
In a joint alert released on Friday, the agencies note nation-state actors are scanning for FortiOS vulnerabilities tracked as CVE-2018-13379, CVE-2020-12812, CVE-2019-5591 for initial attacks.
The alert does not disclose details of the threat actors, but says the agencies have detected a surge in scanning activities for the vulnerabilities since March. The agencies say the attackers could use the vulnerabilities to gain access to the networks of government or private entities.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the alert notes. It adds that the APT actors may also use other CVEs or common exploitation techniques—such as spearphishing.
The vulnerabilities referenced include:
- CVE-2018-13379: an improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via special crafted HTTP resource requests. In November 2020, after hackers leaked stolen passwords, the CIA warned that threat actors can exploit the vulnerability using exposed credentials (see: CISA Warns of Password Leak on Vulnerable Fortinet VPNs). Prior to this, in July, the U.S., U.K. and Canada warned that the Russian hacking group APT29 exploited the vulnerability to target research organizations in countries involved in COVID-19 vaccine development (see: US, UK, Canada: Russian Hackers Targeting COVID-19 Research);
- CVE-2020-12812: an improper authentication vulnerability in SSL VPN affecting multiple FortiOS versions that enable an attackers to successfully log in without authentication;
- CVE-2019-5591: a default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating servers.
Security experts note attackers can exploit the vulnerabilities in multiple ways.
Joseph Cortese, penetration testing practice lead at A-LIGN, note attackers use the vulnerabilities for path traversal attack to obtain sensitive system files. “An attack like this will be successful in obtaining usernames and password hashes for cracking and further exploitation of the network behind the firewall,” Cortese says. “The top priority should be assigned to patching and remediating these vulnerabilities, as this is the type that can result in a magnitude of attacks.”
Zach Hanley, senior red team engineer at security firm Horizon3.AI, adds that the attackers can use the vulnerabilities to obtain valid credentials to perform man-in-the middle attacks, which will then help them to intercept authentication traffic. “The common theme here is: once they are successful, they will look just like your normal users.”
Dirk Schrader, global vice president of security research at New Net Technologies, says: “Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows to establish foothold behind them. For any organization, monitoring these devices, patching them, controlling any configuration changes on them is a priority job for the security teams.”
The CISA and the FBI have recommended various steps for Fortinet users to prevent exploitation of the flaws in addition to patching. These include:
- Regularly backing-up data, and password protecting the backup copies offline. The agency also notes organizations should ensure that these copies are not accessible for modification or deletion from the primary system where the data resides.
- Implementing network segmentation and having an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location such hard drive, storage device or cloud.
- Regularly changing passwords to network systems and accounts, and avoiding reusing passwords for different accounts.
- Disabling unused remote access or remote desktop protocol ports and monitoring these tools.
- Auditing user accounts with administrative privileges and configuring access controls with least privilege in mind.