US authorities warned of attacks by APT groups through vulnerabilities in Fortinet FortiOS VPN
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have warned that highly skilled hackers can exploit vulnerabilities in Fortinet FortiOS VPN in an attempt to target medium and large businesses.
Fortinet — is an American company that specializes in the development and promotion of software, solutions and services in the field of information security.
In the Joint Cybersecurity Advisory (CSA) published, the agencies warn admins and users that the state-sponsored hacking groups are “likely” exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
“APT groups can use these vulnerabilities and other common techniques to gain initial access to numerous governmental, commercial and technological services. Getting initial access allows APT groups to carry out further attacks”, — the FBI and CISA said in a joint notice.
Fortinet FortiOS SSL VPN is used primarily in firewalls that protect sensitive internal networks from the public Internet. Two (CVE-2018-13379 and CVE-2020-12812) out of three (the third vulnerability CVE-2019-5591) listed in the notification and already patched vulnerabilities are especially dangerous because they allow an unauthorized attacker to steal credentials and connect to vulnerable VPN installations.
If VPN credentials are also used by other internal services (i.e. Active Directory, LDAP), then the attacker will immediately gain access to these services with the privileges of the user whose credentials were stolen. Then he can explore the network looking for vulnerabilities in various internal services.
The FBI notice does not indicate which APT groups are involved. In addition, the notice only refers to the “probable” exploitation of the listed above vulnerabilities.
Remediating vulnerabilities requires IT administrators to make configuration changes, and if the organization is not using a network with more than one VPN device, downtime will result.
While this can be a real problem in environments that require 24/7 VPN availability, potential ransomware or spyware attacks can cause much more damage than a simple one.
Following the warning, Fortinet sent the following statement to Bleeping Computer:
“The safety of our customers is our top priority. CVE-2018-13379 is an older vulnerability that was fixed in May 2019. Fortinet immediately issued a PSIRT notice and spoke directly with customers and through corporate blog posts on multiple occasions, strongly recommending the update. After resolving the problem, we constantly communicated with clients, until 2020. CVE-2019-5591 was fixed in July 2019 and CVE-2020-12812 was fixed in July 2020. If customers have not already done so, we strongly recommend that they implement the update and mitigation measures immediately.”
Let me remind you that CyberArk Labs specialists published a report revealing a number of bugs in popular antivirus products from leading industry brands. Including in Fortinet products.