FBI and CISA Warn That APTs Are Exploiting Unpatched Fortinet Vulnerabilities

According to a joint statement from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), international Advanced Persistent Threats or APTs are exploiting currently unpatched vulnerabilities in Fortinet FortiOS platforms belonging to tech services providers, governmental agencies, and private sector entities.

The APTs have honed in on flaws CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, which were discovered in 2019 initially. This latest hacking campaign allows for attackers to penetrate and lay in wait on the victim's network for future cyberattacks.

CVE-2018-13379 is associated with Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 platforms and was caused by the improper limitation of a pathname to a restricted directory under the SSL Virtual Private Network (VPN) web portal.

Once exploited, the flaw gives attackers the ability to download system files via specially crafted HTTP resource requests. One previous CISA alert stated that an exploit may also be able to expose passwords through the vulnerable system.

How are Vulnerabilities being Exploited?

To exploit the vulnerability, hackers initially must obtain the credentials of logged-in SSL VPN users.

In previous hacking campaigns, cybercriminals leveraged these security gaps in chained campaigns. The hackers would have to leverage a Fortinet FortiOS vulnerability initially to gain entry to the victim’s network, then they would pair the attack along with a critical Netlogon vulnerability, CVE-2020-1472, to elevate privileges during a single breach.

In these latest attacks, the US security agencies warned that APTs are scanning for devices on ports 4443, 8443, and 10443 to find CVE-2018-13379, as well as enumerated devices for CVE-2020-12812 and CVE-2019-5591 currently.

Vulnerabilities are typically leveraged by APTs to execute DDoS attacks, ransomware, spear-phishing, SQL injection attacks, website defacement, and disinformation campaigns, according to the joint statement.

During this campaign, the APTs are thought to be leveraging the Fortinet flaws to obtain network access for multiple critical infrastructure sectors, for that the alert called, "pre-positioning for follow-on data exfiltration or data encryption attacks." 

"APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," according to the statement.

Critical infrastructure entities are now advised to apply the Fortinet software update to their devices immediately.

Organizations that do not employ the tech should add FortiOS key artifact files to their execution deny list immediately to prevent any possible attempts to install and or run the program and its files.

What Do the CISA and FBI Recommend to Users?

The US agencies further recommend requiring administrator credentials for any software installs and leveraging multi-factor authentication for all relevant endpoints. Network segmentation also is strongly recommended to isolate vulnerable technology from the main network as well as to back up data in a password-protected offline storage server regularly.

A focus on increased employee awareness and additional training based on identifying and avoiding phishing emails also are recommended, along with the disabling of hyperlinks in messages and the marking of external emails.