The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the companyâs SSL VPN products.
According to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.
âIt is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,â according to the alert. âAPT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.â
The bug tracked as CVE-2018-13379 is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.
The CVE-2019-5591 flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
And finally, CVE-2020-12812 is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
âAttackers are increasingly targeting critical external applications â VPNs have been targeted even more this last year,â said Zach Hanley, senior red team engineer at Horizon3.AI, via email. âThese three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.â
Hanley added, âThe common theme here is: once they are successful, they will look just like your normal users.â
The bugs are popular with cyberattackers in general, due to Fortinetâs widespread footprint, researchers noted.
âCVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,â Satnam Narang, staff research engineer at Tenable, said via email. âIn fact, Tenableâs 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.â
The FBI and CISA didnât specify which APTs are mounting the recent activity.
Once exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.
âThe APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,â the warning explained. âAPT actors may use other CVEs or common exploitation techniquesâsuch as spear-phishingâto gain access to critical infrastructure networks to pre-position for follow-on attacks.â
The joint cybersecurity advisory from the FBI and CISA follows last yearâs flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October an alert went out that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.
âItâs no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,â said Narang. âOver the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they havenât done so already.â
The FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:
_Check out our free _upcoming live webinar events_ â unique, dynamic discussions with cybersecurity experts and the Threatpost community:_
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812
threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/
threatpost.com/category/webinars/
threatpost.com/newsletter-sign/
threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar
us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios