In a joint alert, CISA and the FBI note nation-state actors are scanning for FortiOS vulnerabilities tracked as CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591 for initial attacks.

The alert does not disclose details on the threat actors, but it says the agencies have detected a surge in scanning activities for the vulnerabilities since March. The agencies say the attackers could use the vulnerabilities to gain access to the networks of government agencies or private entities.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the alert notes. It adds that the APT attackers may also use other CVEs or common exploitation techniques – such as spear-phishing.

Vulnerabilities

Fortinet announced: “The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in an August 2019 and July 2020 blog strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020,” advising customers seeking more information, to visit its blog and immediately refer to its May 2019 advisory, adding: “If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”

The Fortinet vulnerabilities are:

• CVE-2018-13379: An improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via specially crafted HTTP resource requests. In November 2020, after hackers leaked stolen passwords, the CIA warned that threat actors could exploit the vulnerability using exposed credentials. In July 2020, the U.S., U.K. and Canada warned that the Russian hacking group APT29 exploited the vulnerability to target research organizations in countries involved in COVID-19 vaccine development.
• CVE-2020-12812: An improper authentication vulnerability in SSL VPN affecting multiple FortiOS versions that enables an attacker to successfully log in without authentication;
• CVE-2019-5591: A default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating servers.

Exploiting Vulnerabilities

Security experts note attackers can exploit the vulnerabilities in several ways.

Joseph Cortese, penetration testing practice lead at A-LIGN, notes attackers can use the vulnerabilities for path traversal attack to obtain sensitive system files. “An attack like this will be successful in obtaining usernames and password hashes for cracking and further exploitation of the network behind the firewall,” he says. “The top priority should be assigned to patching and remediating these vulnerabilities, as this is the type that can result in a magnitude of attacks.”

Zach Hanley, senior red team engineer at security firm Horizon3.ai, adds that the attackers can use the vulnerabilities to obtain valid credentials to perform man-in-the middle attacks, which will then help them to intercept authentication traffic. “The common theme here is: Once they are successful, they will look just like your normal users.”

Dirk Schrader, global vice president of security research at New Net Technologies, says: “Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows them to establish foothold behind them. For any organization, monitoring these devices, patching them, controlling any configuration changes on them is a priority job for the security teams.”

Recommendations

Recommended steps, beyond patching, that Fortinet users can take to prevent exploitation of the flaws, include:

• Regularly backing up data, and password-protecting those backup copies. The agency also notes organizations should ensure that the copies are not accessible for modification or deletion from the primary system on which the data resides.
• Implementing network segmentation and having an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location – such as a hard drive, a storage device or in the cloud.
• Regularly changing passwords to network systems and accounts and avoiding reusing passwords for different accounts.
• Disabling unused remote access or remote desktop protocol ports and monitoring these tools.
• Auditing user accounts with administrative privileges and configuring access controls with least privilege in mind.

The information contained in this website is for general information purposes only. The information is gathered from Gov Info Security, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.