APT actors scanning for unpatched Fortinet vulnerabilities in ongoing attacks against high-value targets
Patch, patch, patch...
Advanced Persistent Threat (APT) actors are scanning for a trio of previously reported and patched vulnerabilities in security vendor Fortinet's FortiOS and VPN -- likely to "gain access to multiple government, commercial, and technology services networks" the FBI and CISA warned in a joint advisory.
The threat actors are scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379, and enumerated devices for CVE-2020-12812 and CVE-2019-5591, the two agencies said, April 2.
"[We] have information indicating APT actors are using multiple CVEs to exploit Fortinet FortiOS vulnerabilities... [to] gain access to networks across multiple critical infrastructuresectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks" the CISA/FBI advisory said.
See also: Cybercriminals, nation state hackers fight for control of compromised Exchange Servers
The agencies urged Fortinet customers who haven't patched alread to do so, urgently.
In an advisory reiterating a range of security hygiene basics, the two called on organisations to disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs; to audit user accounts with administrative privileges and configure access controls with least privilege in mind; to implement network segmentation and to disable hyperlinks in received emails.
CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal, CVE-2019-5591 refers to a vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. and CVE-2020-12812 is a FortiOS SSL VPN login bypass for 2FA that lets a user log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.