APT Groups Are Targeting Fortinet FortiOS Servers, FBI and CISA Warn
Admins are Warned of the Probability of APT Actors Exploiting Three Vulnerabilities in the Fortinet FortiOS.
Last Friday, the U.S. Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory informing that hacking groups are deliberately targeting vulnerabilities in Fortinet FortiOS.
It is believed the unknown actors are scanning for three liabilities in Fortinet’s operating system, FortiOS, to target private sector organizations and the government for cyberespionage.
The alert doesn’t reveal more information about the threat actors but states the agencies have noticed a surge in scanning activities for the liabilities since March. The FBI and CISA detected Advanced Persistent Threat (APT) attackers scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379 in FortiOS. They also observed attackers scanning enumerated devices for CVE-2020-12812 and CVE-2019-5591.
The Advanced Persistent Threat (APT) actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks.
The threat actors are actively exploiting the following vulnerabilities in Fortinet FortiOS:
- CVE-2018-13379: a vulnerability found in several versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated hacker to download system files via SSL VPN.
- CVE-2020-12812: an improper authentication vulnerability in SSL VPN attacking multiple FortiOS versions that enable an attacker to successfully login without authentication;
- CVE-2019-5591: a default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating the LDAP server.
According to security specialists, hackers can exploit the vulnerabilities in multiple ways.
As stated by Joseph Cortese, penetration testing practice lead at A-LIGN, attackers use the vulnerabilities for path traversal attacks to get sensitive system files. Patching and remediating these liabilities should be a top priority.
The hackers can also use the vulnerabilities to acquire valid credentials to perform man-in-the-middle attacks, according to Zach Hanley, the senior red team engineer at security firm Horizon3.AI.
Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows to establish a foothold behind them. For any organization, monitoring these devices, patching them, controlling any configuration changes on them is a priority job for the security teams.
The CISA and the FBI have suggested different mitigation measures to protect systems from ongoing state-sponsored attacks exploiting the above issues:
- Frequently back up data, air gap, and password-protect backup copies offline. Make sure copies of sensitive data are not accessible for modification or deletion from the primary system where the data is.
- Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591.
- Implement network segmentation and have an efficacious recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location such as a hard drive, storage device, or cloud.
- Use multi-factor authentication where possible.
- If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list.
- Change passwords to network systems and accounts, and try not to reuse passwords for different accounts. Apply the shortest acceptable timeframe for password changes.
- Deactivate unutilized remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configures access controls with the least privilege in mind.
- Add an email banner to emails received from outside your organization.
- Require administrator credentials to install the software.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Awareness and training are the most important. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.
The FortiOS advisory comes two days after CISA provided further guidance on its emergency directive concerning the Microsoft Exchange Server vulnerabilities and advises federal departments and agencies to run Microsoft’s new Test-ProxyLogon.script and Safety Scanner tool to determine whether they have been damaged.
Fortinet followed upon its release of a patch for CVE-2018-13379 with blog posts in August 2019 and July 2020 to come up with more information and alert clients of active attacks by APT29.
Fortinet urges customers who didn’t implement the upgrade and mitigations to take action as soon as possible.