Rewterz Threat Advisory – Phishing Attacks Using COVID-19 Schemes and Fake Websites
May 28, 2021Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
May 29, 2021Rewterz Threat Advisory – Phishing Attacks Using COVID-19 Schemes and Fake Websites
May 28, 2021Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
May 29, 2021Severity
High
Analysis Summary
Threat actors have been continuously exploiting Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. The targeted bugs include CVE-2018-13379 (a path traversal in the FortiOS SSL VPN web portal), CVE-2020-12812 (a bypass of FortiOS SSL VPN two-factor authentication), and CVE-2019-5591 (default configurations ship without LDAP server identity verification). While initial activity only involved scanning for devices vulnerable to the FortiOS SSL VPN web portal flaw (on ports 4443, 8443, and 10443), as well as enumeration of devices potentially impacted by the other two bugs, the attackers have since moved to network compromise and additional malicious activity.
According to FBI “Access gained by the APT actors can be leveraged to conduct data exfiltration, data encryption, or other malicious activity. The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.”
Impact
- Network access
- Data exfiltration
- Data encryption
Affected Vendors
Fortinet
Indicators of Compromise
Filename
Audio[.]exe or frpc[.]exe
Frps[.]exe
MD5
b90f05b5e705e0b0cb47f51b985f84db
26f330dadcdd717ef575aa5bfcdbe76a
SHA-256
28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
SHA1
5bd0690247dc1e446916800af169270f100d089b
c4160aa55d092cf916a98f3b3ee8b940f2755053
Remediation
Refer to Rewterz threat advisory of APTs Actively Exploiting Fortinet VPN Security Vulnerabilities. https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-apts-actively-exploiting-fortinet-vpn-security-vulnerabilities
- Search for IOCs in your environment.
- Keep your devices/ software updated to the latest patches.
- Enable multi-factor authentication where possible.
- Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.