APT Groups Targeting Government Agencies

ByPR 24

Application Security
,
Application Security & Online Fraud
,
Breach Notification

Three FortiOS Vulnerabilities Being Exploited for the Campaign

Akshaya Asokan (asokan_akshaya) •
April 3, 2021    

FBI and CISA: APT Groups Targeting Government Agencies

The U.S. Cybersecurity and Infrastructure Security Agency and the FBI warn that unidentified nation-state actors are scanning for three vulnerabilities in Fortinet’s operating system, FortiOS, to likely target government and private sector companies for cyberespionage.

In a joint alert released on Friday, the agencies note nation-state actors are scanning for FortiOS vulnerabilities tracked as CVE-2018-13379, CVE-2020-12812, CVE-2019-5591 for initial attacks.

The alert does not disclose details of the threat actors, but says the agencies have detected a surge in scanning activities for the vulnerabilities since March. The agencies say the attackers could use the vulnerabilities to gain access to the networks of government or private entities.

See Also: Live Webinar | Attacks on Cloud Infrastructure

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the alert notes. It adds that the APT actors may also use other CVEs or common exploitation techniques—such as spearphishing.


Vulnerabilities

The vulnerabilities referenced include:

  • CVE-2018-13379: an improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via special crafted HTTP resource requests. In November 2020, after hackers leaked stolen passwords, the CIA warned that threat actors can exploit the vulnerability using exposed credentials (see: CISA Warns of Password Leak on Vulnerable Fortinet VPNs). Prior to this, in July, the U.S., U.K. and Canada warned that the Russian hacking group APT29 exploited the vulnerability to target research organizations in countries involved in COVID-19 vaccine development (see: US, UK, Canada: Russian Hackers Targeting COVID-19 Research);

  • CVE-2020-12812: an improper authentication vulnerability in SSL VPN affecting multiple FortiOS versions that enable an attackers to successfully log in without authentication;

  • CVE-2019-5591: a default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating servers.

Exploiting Vulnerabilities

Security experts note attackers can exploit the vulnerabilities in multiple ways.


Joseph Cortese, penetration testing practice lead at A-LIGN, note attackers use the vulnerabilities for path traversal attack to obtain sensitive system files. “An attack like this will be successful in obtaining usernames and password hashes for cracking and further exploitation of the network behind the firewall,” Cortese says. “The top priority should be assigned to patching and remediating these vulnerabilities, as this is the type that can result in a magnitude of attacks.”


Zach Hanley, senior red team engineer at security firm Horizon3.AI, adds that the attackers can use the vulnerabilities to obtain valid credentials to perform man-in-the middle attacks, which will then help them to intercept authentication traffic. “The common theme here is: once they are successful, they will look just like your normal users.”


Dirk Schrader, global vice president of security research at New Net Technologies, says: “Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows to establish foothold behind them. For any organization, monitoring these devices, patching them, controlling any configuration changes on them is a priority job for the security teams.”


Recommendations

The CISA and the FBI have recommended various steps for Fortinet users to prevent exploitation of the flaws in addition to patching. These include:

  • Regularly backing-up data, and password protecting the backup copies offline. The agency also notes organizations should ensure that these copies are not accessible for modification or deletion from the primary system where the data resides.

  • Implementing network segmentation and having an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location such hard drive, storage device or cloud.

  • Regularly changing passwords to network systems and accounts, and avoiding reusing passwords for different accounts.

  • Disabling unused remote access or remote desktop protocol ports and monitoring these tools.

  • Auditing user accounts with administrative privileges and configuring access controls with least privilege in mind.

Similar Posts

For Maximum Resiliency, Unleash Chaos Monkeys

For Maximum Resiliency, Unleash Chaos Monkeys

ByPR 24

Governance & Risk Management , IT Risk Management , Security Operations Opening RSA Conference Keynote Speeches Highlight Tactics for Sustainable Resiliency Mathew J. Schwartz (euroinfosec) • May 17, 2021     Could the theme of this year’s RSA Conference be anything other than resiliency? See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive …

Bugs Found in Dell SupportAssist Allowed Attackers to Remotely Execute Code

Bugs Found in Dell SupportAssist Allowed Attackers to Remotely Execute Code

ByPR 24

Four major security vulnerabilities were discovered in the BIOSConnect feature of Dell SupportAssist. The Dell SupportAssist vulnerabilities were allowing attackers to remotely execute code within the BIOS of impacted devices. The SupportAssist software is preinstalled on most Dell devices running Windows operating system, while BIOSConnect provides remote firmware update and OS recovery features. The chain of flaws that…

Chinese hackers used Facebook to target Uighurs abroad, company says

Chinese hackers used Facebook to target Uighurs abroad, company says

ByPR 24

BEIJING: Facebook said on Wednesday (Mar 24) it had blocked a group of hackers in China who used the platform to target Uighurs living abroad with links to malware that would infect their devices and enable surveillance. The social media company said the hackers, known as Earth Empusa or Evil Eye in the security industry, targeted…

Hackers Exploit VPN to Deploy SUPERNOVA malware on SolarWinds Orion

Hackers Exploit VPN to Deploy SUPERNOVA malware on SolarWinds Orion

ByPR 24

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed details of a new advanced persistent threat (APT) that’s leveraging the Supernova backdoor to compromise SolarWinds Orion installations after gaining access to the network through a connection to a Pulse Secure VPN device. “The threat actor connected to the entity’s network via a Pulse Secure…

North Korean .Gov Hackers Back With Fake Pen-Test Company

North Korean .Gov Hackers Back With Fake Pen-Test Company

ByPR 24

A North Korean government-backed APT group has been caught using a fake pen-testing company and a range of sock puppet social media accounts in an escalation of a hacking campaign targeting security research professionals. The notorious hacking group, first exposed by Google earlier this year, returned on March 17th with a website for a fake…

100-Day Plan to Enhance Electrical Grid Security Unveiled

100-Day Plan to Enhance Electrical Grid Security Unveiled

ByPR 24

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management Biden Administration Plan Is Part of a Broader Critical Infrastructure Protection Effort Scott Ferguson (Ferguson_Writes) • April 20, 2021     The Biden administration is rolling out a 100-day plan to improve cybersecurity and address cyberthreats across the nation’s electrical grid….