Cybersecurity News

FBI, CISA: APT Actors Exploiting Unpatched Fortinet Vulnerabilities

Though Fortinet issued a software update for the vulnerabilities in 2019, FBI and CISA warn that APT threat actors are actively exploiting unpatched flaws to gain network access.

FBI DHS CISA joint alert on Fortinet FortiOS vulnerabilities exploited by APT threat actors for malicious activities

By Jessica Davis

- Advanced persistent threat actors are actively exploiting unpatched vulnerabilities in Fortinet FortiOS platforms belonging to technology services, government agencies, and other private sector entities, according to a joint alert from the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.

The APT actors are targeting the flaws CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, which were first disclosed in 2019. Successful exploits of the latest hacking campaign allow the attacker to gain a foothold onto the network for future cyberattacks.

CVE-2018-13379 is found in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 platforms and is caused by an improper limitation of a pathname to a restricted directory, or path traversal, under the SSL Virtual Private Network (VPN) web portal.

A successful exploit of the flaw gives an attacker the ability to download system files through specially crafted HTTP resource requests. A previous CISA alert found that an exploit could also expose passwords through the vulnerable devices.

To exploit the vulnerability, an attacker would need to first obtain credentials of logged-in SSL VPN users.

In previous campaigns, threat actors leveraged these security gaps in chained cyberattacks. A hacker would first leverage the Fortinet FortiOS vulnerability to gain access to the victim’s network, then paired the attack with a critical Netlogon vulnerability, CVE-2020-1472, to escalate privileges in a single intrusion.

In the latest exploits, the federal agencies warned that APT hackers are scanning for devices on ports 4443, 8443, and 10443 to find CVE-2018-13379, as well as enumerated devices for CVE-2020-12812 and CVE-2019-5591.

Critical vulnerabilities are typically used by APT actors for DDoS attacks, ransomware, SQL injection attacks, spear-phishing, website defacement, and disinformation campaigns, according to the alert.

For this campaign, the threat actors are likely leveraging the Fortinet flaws to gain network access across multiple critical infrastructure sectors, for “pre-positioning for follow-on data exfiltration or data encryption attacks.” 

“APT actors may use other CVEs or common exploitation techniques -- such as spear-phishing -- to gain access to critical infrastructure networks to pre-position for follow-on attacks,” officials warned.

Given the severity of these flaws and attack methods, agency officials are again urging critical infrastructure entities to immediately apply the Fortinet software update to the impacted devices.

If an organization does not employ the tech, administrators should add FortiOS key artifact files to the entity’s execution deny list to prevent any attempts to install or run the program and associated files.

CISA and the FBI also provided further recommendations for mitigating the risks associated with these flaws, including requiring admin credentials for any software installation and leveraging multi-factor authentication on all relevant endpoints.

It’s also recommended that entities implement network segmentation to isolate vulnerable tech from the main network and regularly back up data in an air gapped, password-protected offline storage server. Administrators should also ensure copies of critical data are not able to be modified or accessible for deletion from the primary system.

Further, entities should focus on employee awareness and training around the principles and techniques for identifying and avoiding phishing emails. Hyperlinks should be disabled in emails, and entities should consider adding a banner to emails received from outside of the organization.

“Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location,” officials recommended.

These recommendations can also support mitigation for a host of other vulnerabilities. As threat actors continue to chain attack methods and exploit known device flaws, such as the supply chain attacks on Microsoft Exchange and Accellion, it’s a critical time to review device inventories and vulnerability management processes.

"Over the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike," said Satnam Narang, Tenable staff research engineer.

"With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded," he added. "Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven’t done so already."