Cybersecurity experts from the FBI and CISA have issued a joint cybersecurity advisory warning of APT exploits of Fortinet FortiOS vulnerabilities.
On April 2, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued the alert after observing Advanced Persistent Threat (APT) actors exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.
“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks,” the FBI warned in the advisory.
“APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.”
As readers may remember, cybersecurity experts warned hackers targeted last November nearly 50,000 vulnerable unpatched Fortinet VPNs to steal passwords.
The Fortinet path traversal vulnerability CVE-2018-13379 affects FortiOS SSL VPNs and was patched in May of 2019.
Furthermore, Fortinet confirmed the issue “may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.”
In October of last year, threat actors were spotted exploiting CVE-2018-13370 and other legacy internet-facing vulnerabilities in combination with “Zerologon” to target government networks, critical infrastructure, and elections organizations.
Fortinet patched CVE-2019-5591 in July 26, 2019.
According to the advisory, “a Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.”
This same vulnerability was patched by VMware and impacted VMware ESXi, Workstation and Fusion products.
Fortinet patched CVE-2020-12812 in July 13, 2020.
“An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username,” Fortinet wrote in the advisory.
Finally, the FBI and CISA published a good list of mitigations in the cybersecurity alert, just to name a few:
- Patch all affected devices according to Fortinet patch advisories.
- Add key artifact files used by FortiOS to your organization’s execution deny list.
- Regularly back up and protect data (air gap, password protection, etc.).
- Implement network segmentation.
- Require administrator credentials to install software.
- Implement a recovery plan to restore sensitive data.
- Use multifactor authentication where possible.
- Regularly change passwords.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege.
- Install and regularly update anti-malware software on all hosts.
- Ensure phishing protections (such as “external” banners for external emails) and security awareness training.