The FBI and CISA released a joint cybersecurity advisory documenting that a number of APTs have been seen in the wild scanning for three FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812). These vulnerabilities, if exploited, can allow unauthorized remote access to a network, which is particularly dangerous when APTs are involved. It is highly recommended at this time that any users of FortiOS products apply the necessary patches to remediate these vulnerabilities.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The Federal Bureau of Investigation (FBI) and the Cybersecurity Infrastructure Security Agency (CISA) released a joint cybersecurity advisory today detailing their observation of multiple Advanced Persistent Threats (APTs) attempting to exploit three FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812). The APT actors have been witnessed scanning for machines susceptible to the exploitation of these vulnerabilities, and “are likely exploiting these Fortinet FortiOS vulnerabilities… to gain access to multiple governments, commercial, and technology services networks”1. These vulnerabilities represent a critical first step in the exploitation and compromise of any high-profile target, granting the threat actor access. At least one of these exploits has been identified as exploited in the wild (CVE-2018-13379) and was used to gain access and deliver the “Cring” ransomware in an investigation done by Kaspersky2.
- 1 https://www.ic3.gov/Media/News/2021/210402.pdf
- 2 https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/
WHY IS IT NOTEWORTHY?
The nature of three separate exploits being present in FortiOS is arguably noteworthy enough, but when compounded by the FBI and CISA releasing a joint cybersecurity advisory, the stakes are raised dramatically. Given that this advisory directly from the FBI and CISA is stating that the aforementioned FortiOS vulnerabilities are actively being exploited by APTs (the most dangerous and sophisticated “classification” of threat actors) all caution must be taken to mitigate these vulnerabilities. While there has been exploitation witnessed in the wild, it appears that most activity right now is information gathering, and results in a large amount of scanning for vulnerable devices on ports 4443, 8443, and 10443.
WHAT IS THE EXPOSURE OR RISK?
If exploited, these three vulnerabilities all result in unauthorized access. Needless to say, a dangerous APT having access to government/commercial/technology services networks is cause for alarm. The actions of an APT are typically grander in scale than just monetary gain. An APT is typically a nation state or state sponsored group that is willing to spend prolonged periods of time on exploitation to cause the highest amount of damage. An APT may gain access to a network and simply lie in wait for extended periods of time in order for the ideal moment to exfiltrate data, deliver ransomware, or reach any other malign goal they see fit.
WHAT ARE THE RECOMMENDATIONS?
At this time, the clear recommendation is to immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591. Aside from that, the list of mitigations provided in the joint cybersecurity advisory are relatively standard. These range from regularly backing up data in secure offline locations to ensuring user account have the minimal amount of privilege to function. The complete list of mitigations can be found within the advisory below:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.