It has been reported that several APT groups are using security vulnerabilities in the Fortinet SSL VPN to carry out attacks in the wild. These vulnerabilities are exploited to gain access to targeted networks before moving laterally or carrying out reconnaissance.
What has happened?
The FBI and CISA have alerted that nation-state actors are actively utilizing known security vulnerabilities (CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812) in the Fortinet FortiOS cybersecurity operating system.
- Attackers are scanning devices on ports 4443, 10443, and 8443 to discover unpatched security implementations. Specifically, the APT actors are looking for these vulnerabilities on targeted networks.
- It is believed that APTs are exploiting these vulnerabilities to gain access inside various governments, technology, and commercial networks.
- These three vulnerabilities allow an attacker to bypass multi-factor authentication, obtain valid credentials, and launch man-in-the-middle authentication traffic to intercept credentials.
- APTs may use other CVEs or common exploitation techniques to gain access to critical infrastructure networks to pre-position themselves and carry out follow-on attacks.
Brief info of three vulnerabilities
Here’s brief information about these vulnerabilities:
- CVE-2018-13379: a path-traversal flaw that exists in Fortinet FortiOS, where an unauthenticated attacker can download system files via specially crafted HTTP resource requests. In Dec 2020, Pay2Kitten ransomware was found leveraging this vulnerability for its attacks.
- CVE-2019-5591: a default configuration flaw in FortiOS that could allow an unauthenticated attacker to intercept sensitive information by impersonating the LDAP server.
- CVE-2020-12812: an improper-authentication flaw in SSL VPN in FortiOS, which could allow an attacker to log in successfully bypassing two-factor authentication (FortiToken).
APTs are known to exploit critical vulnerabilities in popular commercial products to infiltrate corporate networks and conduct various attacks. Therefore, it is important to apply the latest security updates and patches to all the devices and OSes.