Threat actors have been continuously exploiting Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. The targeted bugs include CVE-2018-13379 (a path traversal in the FortiOS SSL VPN web portal), CVE-2020-12812 (a bypass of FortiOS SSL VPN two-factor authentication), and CVE-2019-5591 (default configurations ship without LDAP server identity verification). While initial activity only involved scanning for devices vulnerable to the FortiOS SSL VPN web portal flaw (on ports 4443, 8443, and 10443), as well as enumeration of devices potentially impacted by the other two bugs, the attackers have since moved to network compromise and additional malicious activity.
According to FBI “Access gained by the APT actors can be leveraged to conduct data exfiltration, data encryption, or other malicious activity. The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.”
Audio[.]exe or frpc[.]exe
Refer to Rewterz threat advisory of APTs Actively Exploiting Fortinet VPN Security Vulnerabilities. https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-apts-actively-exploiting-fortinet-vpn-security-vulnerabilities