Two federal agencies say advanced persistent threat (APT) groups are likely exploiting vulnerabilities in the Fortinet FortiOS VPN.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued the advisory. They said APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear phishing campaigns, website defacements and disinformation campaigns.

The ATP actors are using multiple common vulnerabilities and exposures (CVEs) to exploit Fortinet FortiOS vulnerabilities. They’re doing this to to gain access to multiple government, commercial and technology services networks.

These malicious hackers may use other CVEs to gain access to critical infrastructure networks to prepare for follow-on attacks.

Customers Urged to Upgrade

Fortinet sent us the following statement:

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a product security incident response team (PSIRT) advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”

Zach Hanley is senior red team engineer at Horizon3.AI.

Horizon3 AI’s Zach Hanley

“Attackers are increasingly targeting critical external applications,” he said. “VPNs have been targeted even more this last year. These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials. The common theme here is once they are successful, they will look just like your normal users.”

Taking Advantage of Sensitive Vulnerabilities

Yaniv Bar-Dayan is Vulcan Cyber‘s CEO and co-founder.

Vulcan Cyber’s Yaniv Bar-Dayan

“Last year saw a multitude of damaging consequences from ransomware, breaches and targeted attacks against sensitive data,” he said. “From breaches of COVID-19 research data, to attacks on critical infrastructure and government agencies, cybercriminals have taken advantage of the most sensitive vulnerabilities at the expense of the organizations that have the most to lose.”

The past year should have been a wake-up call to security teams that have been resistant to change, Bar-Dayan said.

“As remote working continues to be the norm, even after this pandemic subsides, an agile security team and agile infrastructure will be critical,” he said.

Security teams must carefully orchestrate and manage remediation activities, Bar-Dayan said.

NNT’s Dirk Schrader

Furthermore, organizations must continue looking for new ways to be ready for the ever evolving threat landscape.

Dirk Schrader is global vice president of security research at New Net Technologies (NNT).

“Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows [them] to establish [a] foothold behind them,” he said. “For any organization, monitoring these devices, patching them [and] controlling any configuration changes on them is a priority job for the security teams.”