Advanced persistent threat (APT) actors are exploiting vulnerabilities in the Fortinet FortiOS operating system to gain access to servers to get into networks as pre-positioning for follow-on data exfiltration and information encryption attacks.
In the last Joint Cybersecurity Advisory, the DHS’ Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) cautioned consumers of the Fortinet FortiOS to quickly apply patches for three security vulnerabilities, tracked as CVE 2020-12812, CVE 2018-13379, and CVE 2019-5591.
Patches were made available to correct the vulnerabilities in May 2019, July 2019, July 2020. Fortinet sent communications to affected organizations and publicized several blog posts instructing users to get updates of the FortiOS secure version; even so, a number of clients have not applied the patches to resolve the flaws and are in danger of attack.
CVE-2018-13379 is a vulnerability caused by an incorrect restriction of a pathname to a restricted directory and is found in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. Under SSL VPN web portal, an unauthenticated attacker will be able to get system files by submitting specially created HTTP requests to a vulnerable server. In the past, Russian, Chinese, and Iranian APT groups have exploited the vulnerability to break into U.S. election support systems.
CVE-2020-12812 is a poor authentication vulnerability identified in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which may be taken advantage of allowing users to sign in successfully without prompting another authentication factor – FortiToken – when they altered the case of their username.
CVE-2019-5591 is a default configuration vulnerability found in FortiOS which can enable an unauthenticated threat actor on the same subnet to seize sensitive information by acting as the LDAP server.
The FBI/CISA state that APT groups are identifying servers that are not yet patched to repair CVE-2020-12812 and CVE-2019-5591 and are monitoring for devices insecure to CVE-2018-13379 on ports 10443, 8443, and 4443. The vulnerabilities were exploited to obtain access to multiple commercial, government, and technology services systems. Other CVEs and exploitation strategies like spear-phishing may also possibly be utilized in attacks to obtain access to critical infrastructure systems.
Besides using the patches to fix the vulnerabilities, the FBI/CISA suggests a number of other ways to avoid vulnerability exploitation.
- Update the execution deny lists with the key artifact files employed by FortiOS to avoid efforts to install and run the vulnerable program and its associated data files.
- Configure systems to require administrator credentials before installing software.
- Implement multi-factor authentication where possible, maintain good password hygiene, and conduct audits of accounts with admin privileges.
- Disable all unused remote access/RDP ports and audit remote access/RDP logs.
- Because phishing attacks are probable to occur, flag emails from external sources and disable hyperlinks in emails.
- Educate the employees about data security and how to recognize phishing emails.
- Install antivirus software on all devices and keep it up to date.
- Use network segmentation to limit the harm that can be caused in case of a network breach.
- Considering that extortion and data deletion attacks may happen, regularly back up data and keep a backup copy on an air-gapped gadget and password-protect the copy.
- Create a recovery plan to recover sensitive information from a physically distinct, segmented, safe place.