FBI and CISA: APT Groups Targeting Government AgenciesThree FortiOS Vulnerabilities Being Exploited for the Campaign
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI warn that unidentified nation-state actors are scanning for three vulnerabilities in Fortinet's operating system, FortiOS, to potentially target government agencies and companies for cyberespionage.
See Also: 12 Immutable Rules for Observability
In a joint alert released on Friday, CISA and the FBI note nation-state actors are scanning for FortiOS vulnerabilities tracked as CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591 for initial attacks.
The alert does not disclose details on the threat actors, but it says the agencies have detected a surge in scanning activities for the vulnerabilities since March. The agencies say the attackers could use the vulnerabilities to gain access to the networks of government agencies or private entities.
"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks," the alert notes. It adds that the APT attackers may also use other CVEs or common exploitation techniques - such as spear-phishing.
When contacted by ISMG to comment, Fortinet responded: "The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in an August 2019 and July 2020 blog strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020," advising customers seeking more information, to visit its blog and immediately refer to its May 2019 advisory, adding: "If customers have not done so, we urge them to immediately implement the upgrade and mitigations."
The Fortinet vulnerabilities are:
- CVE-2018-13379: An improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via specially crafted HTTP resource requests. In November 2020, after hackers leaked stolen passwords, the CIA warned that threat actors could exploit the vulnerability using exposed credentials (see: CISA Warns of Password Leak on Vulnerable Fortinet VPNs). In July 2020, the U.S., U.K. and Canada warned that the Russian hacking group APT29 exploited the vulnerability to target research organizations in countries involved in COVID-19 vaccine development (see: US, UK, Canada: Russian Hackers Targeting COVID-19 Research);
- CVE-2020-12812: An improper authentication vulnerability in SSL VPN affecting multiple FortiOS versions that enables an attacker to successfully log in without authentication;
- CVE-2019-5591: A default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating servers.
Security experts note attackers can exploit the vulnerabilities in several ways.
Joseph Cortese, penetration testing practice lead at A-LIGN, notes attackers can use the vulnerabilities for path traversal attack to obtain sensitive system files. "An attack like this will be successful in obtaining usernames and password hashes for cracking and further exploitation of the network behind the firewall," he says. "The top priority should be assigned to patching and remediating these vulnerabilities, as this is the type that can result in a magnitude of attacks."
Zach Hanley, senior red team engineer at security firm Horizon3.ai, adds that the attackers can use the vulnerabilities to obtain valid credentials to perform man-in-the middle attacks, which will then help them to intercept authentication traffic. "The common theme here is: Once they are successful, they will look just like your normal users."
Dirk Schrader, global vice president of security research at New Net Technologies, says: "Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows them to establish foothold behind them. For any organization, monitoring these devices, patching them, controlling any configuration changes on them is a priority job for the security teams."
CISA and the FBI have recommended steps, beyond patching, that Fortinet users can take to prevent exploitation of the flaws. These include:
- Regularly backing up data, and password-protecting those backup copies. The agency also notes organizations should ensure that the copies are not accessible for modification or deletion from the primary system on which the data resides.
- Implementing network segmentation and having an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location - such as a hard drive, a storage device or in the cloud.
- Regularly changing passwords to network systems and accounts and avoiding reusing passwords for different accounts.
- Disabling unused remote access or remote desktop protocol ports and monitoring these tools.
- Auditing user accounts with administrative privileges and configuring access controls with least privilege in mind.