The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert warning that Advanced Persistent Threat (APT) groups are actively exploiting vulnerabilities in the Fortinet SSL VPN.
The APT groups have been exploiting three vulnerabilities to gain a foothold in networks and are conducting reconnaissance and moving laterally within networks. Government agencies, commercial, technology, and critical infrastructure firms are being targeted in the campaign.
Access to the networks is used for data exfiltration and data encryption attacks, although the APT groups have historically also exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, SQL injection attacks, website defacements, and disinformation campaigns.
Three vulnerabilities in the Fortinet FortiOS are understood to be exploited by the APT groups – CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591. Scans are being conducted on ports 4443, 8443, and 10443 to identify devices vulnerable to exploitation of the CVE-2019-5591 vulnerability and the APT groups are enumerating servers that have not had the CVE-2018-13379 and CVE-2020-12812 vulnerabilities patched.
CVE-2018-13379 is a path-traversal flaw where the SSL VPN allows an unauthenticated attacker to obtain system files by sending specially crafted HTTP resource requests. CVE-2020-12812 is due to improper authentication by the FortiOS which could allow an individual to log in without having to provide the second authentication factor (FortiToken), if the case of their username is changed. CVE-2019-5591 is a vulnerability in the default configuration of FortiOS that allows an individual on the same subnet to intercept sensitive information by impersonating the LDAP server. If the flaws are exploited, attackers could explore the network and exfiltrate data and would appear to be normal users to security teams.
The alert also warns that “APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”
Fortinet reports that a patch to correct the CVE-2018-13379 was released in May 2019, CVE-2019-5591 was patched in July 2019, and a patch was released to fix the CVE-2020-12812 vulnerability in July 2020. It is important to ensure that all three vulnerabilities are patched as soon as possible to prevent exploitation. After patching, investigations should be conducted to determine whether the flaws have already been exploited.
Further mitigations and cybersecurity best practices are provided in the FBI/CISA alert.