FBI/CISA Alert on Continuing Attacks On Vulnerable Fortinet FortiOS Servers

Advanced persistent threat (APT) actors are targeting vulnerabilities in the Fortinet FortiOS operating system to obtain access to servers to enter networks as pre-placement for follow-on data exfiltration and information encryption attacks.

In the latest Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency notified end-users of the Fortinet FortiOS to promptly employ patches for three vulnerabilities, monitored as CVE 2020-12812, CVE 2019-5591 and CVE 2018-13379.

Patches were introduced to fix the vulnerabilities in May 2019, July 2019, July 2020. Fortinet corresponded with impacted firms and shared a number of blog posts telling clients to upgrade the FortiOS to a secure version; then again, many users have not implemented the patches to fix the vulnerabilities and are prone to attack.

CVE-2018-13379 is a vulnerability resulting from the inappropriate limit of a pathname to a restricted directory and occurs in Fortinet FortiOS 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4. Under SSL VPN website, an unauthenticated attacker could get system files by transmitting specially made HTTP tickets to a vulnerable server. Before, Chinese Russian, and Iranian APT groups have taken advantage of the vulnerability so as to breach U.S. election support solutions.

CVE-2020-12812 is an inappropriate authentication vulnerability identified in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which can be exploited to let users get access with success without requiring an additional authentication factor – FortiToken – whenever they modified the case of their username.

CVE-2019-5591 is a default settings vulnerability found in FortiOS which may permit an unauthenticated hacker on the same subnet to snatch sensitive information by posing as the LDAP server.

The FBI/CISA point out that APT groups are listing servers that have not been patched to correct CVE-2020-12812 and CVE-2019-5591 and are checking for devices susceptible to CVE-2018-13379 on ports 10443, 4443 and 8443. The vulnerabilities were taken advantage of to obtain access to several businesses, government, and technology services sites. Other CVEs and exploitation tactics including spear-phishing could also be utilized in attacks to acquire access to vital infrastructure systems.

Aside from implementing the patches to resolve vulnerabilities, the FBI/CISA advises these few other tips to avert vulnerabilities exploitation:

  • Include key artifact files employed by FortiOS to execution deny lists to stop initiatives to install and operate the insecure program and its related data.
  • Set up systems to necessitate administrator credentials prior to putting in software.
  • Apply multi-factor authentication where probable, continue to keep good password hygiene and perform reviews of accounts having admin rights.
  • Deactivate all remote access/RDP ports that are unused and review remote access/RDP records.
  • Because phishing attacks are likely to happen, flag communications from external sources and deactivate links in emails.
  • Educate the staff about data security and how to know phishing emails.
  • Set up antivirus software program on all systems and keep it updated.
  • Employ network segmentation to control the damage that can be created in the event of a network breach.
  • Considering that extortion and data deletion attacks can take place, routinely backup data and save a backup copy on an air-gapped system and password-protect the file backup.
  • Develop a recovery plan to regain sensitive information from a physically independent, segmented, protected area.