Rewterz Threat Advisory – APTs Actively Exploiting Fortinet VPN Security Vulnerabilities

Severity

High

Analysis Summary

Three security vulnerabilities in the Fortinet SSL VPN are being used to gain a foothold within networks before moving laterally and carrying out reconnaissance. The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products. Cyber attackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. 

APTs are exploiting CVE-2018-13379. In 2019, CVE-2018-13379 was extensively exploited in attacks in which unpatched VPN servers were targeted by Nation-State attackers. It was also exploited in the FireEye hack in December 2020. In addition, APTs are also exploiting two other vulnerabilities:

CVE-2019-5591 : A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. 

CVE-2020-12812:  An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. 
These vulnerabilities are being exploited to gain access to multiple government, commercial, and technology services networks. These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.

SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should prioritize patching their Fortinet devices immediately if they haven’t done so already.

Impact

• Security Bypass
• Credential Theft
• Exposure of Sensitive Information
• Unauthorized Access

Affected Vendors

Fortinet

Affected Products

• Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
• SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below

Remediation

Organizations should take the following steps to mitigate this exploitation: 

• Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591.
• If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.
• Implement network segmentation.
• Require administrator credentials to install software.
• Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Use multifactor authentication where possible.
• Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
• Implement the shortest acceptable timeframe for password changes.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Install and regularly update antivirus and anti-malware software on all hosts.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.