FBI: Unpatched Fortinet Flaws Remain Under Attack by APT Actors

June 01, 2021 - Advanced persistent threat (APT) actors are continuing to exploit three, unpatched, critical vulnerabilities in certain Fortinet FortiOS devices to gain access to victims’ networks for nefarious activities, including data theft and data encryption, according to a recent FBI alert.

The flash alert is a follow-up to an April Department of Homeland Security Cybersecurity and Infrastructure Security Agency and FBI alert, which shed light on the ongoing malicious campaign. 

Fortinet released a software update for CVE-2018-13379 and FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591 in 2019. In previous attacks, hackers gained access to unpatched systems on ports 4443, 8443, and 10443.

Found in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 platforms,  CVE-2018-13379 is caused by an improper limitation of a pathname to a restricted directory, or path traversal, under the SSL Virtual Private Network (VPN) web portal.

The flaw has been exploited in other malicious campaigns, which allowed the actor to download system files through specially crafted HTTP resource requests and exposing passwords through the vulnerable devices.

The attackers have also been observed scanning for devices on ports 4443, 8443, and 10443 to find the flaws. Past campaigns also saw hackers leveraging the security gaps in chained cyberattacks.

The latest insights show that the APT actors are actively targeting vulnerable systems across a range of sectors, which officials explained shows “the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.”

The access can be used for data exfiltration, encryption, and other nefarious activities.

As hackers are continuing to target and exploit vulnerable systems, the latest insights detail the tactics used and indicators of compromise on impacted networks.

The FBI has identified tools leveraged in these attacks, such as Mimikatz for credential theft, MinerGate for crypto mining, WinPEAS to escalate privileges, and BitLocker for data encryption, among a host of others.

There are also three key IOCs tied to these flaws: new user accounts, outbound traffic, and unrecognized scheduled tasks. The alert stressed that IOCs tied to outbound traffic include any FTP transfers made over port 443.

After a successful exploit, the attackers may establish new user accounts on domain controllers, servers, workstations, and Active Directories. The accounts commonly appear to have been created to mimic existing accounts on the network, to hide in plain sight. Thus, the account names will vary by organization.

Lastly, the actors may also modify items within the Task Scheduler that are typically displayed as unrecognized scheduled tasks or actions, such as SychronizeTimeZone.

The FBI again urged all entities to immediately patch the three vulnerabilities, especially CVE-2018-13379. The vulnerability has been identified in a range of critical attacks since its disclosure several years ago, including chained cyberattacks, password theft, and nation-state attacks.

“If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution denylist,” officials urged. “Any attempts to install or run this program and its associated files should be prevented.”

“Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts,” they continued. “Review Task Scheduler for unrecognized scheduled tasks… Manually review operating system defined or recognized scheduled tasks for unrecognized ‘actions’.”

Other recommended mitigation measures include reviewing antivirus logs for any indications of unexpected shutdowns, requiring admin credentials to install software, auditing user accounts with admin privileges, and configuring access controls as least privilege, among others.

In light of heightened attacks against the healthcare sector, the alert should again serve as a reminder to review software updates for all connected network devices.