FBI and CISA are warning of APT actors targeting Fortinet FortiOS servers

Pierluigi Paganini April 02, 2021

FBI and CISA published a joint alert to warn of advanced persistent threat (APT) groups targeting Fortinet FortiOS to access networks of multiple organizations.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint alert to warn of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits.

The threat actors are actively exploiting the following vulnerabilities in Fortinet FortiOS:

In March 2021, government experts observed state sponsored hackers scanning the internet for servers vulnerable to the above flaws, the attackers were probing systems on ports 4443, 8443, and 10443. The joint alert also states that attackers scanning also enumerated devices for the CVE-2020-12812 and CVE-2019-5591 flaws.

“In March 2021 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) observed Advanced Persistent Threat (APT) actors scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379, and enumerated devices for CVE-2020-12812 and CVE-2019-5591. It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks” reads the joint advisory published by FBI and CISA.

Attackers were exploiting the flaw in the attempt to access multiple government, commercial, and technology services networks.

The agencies warn APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors. Once gained access to the target networks, attackers can establish a foothold for future malicious activities.they might use this initial access for future attacks.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” continues the advisory. “APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”

The alert also includes mitigation measures to secure systems from ongoing state-sponsored attacks exploiting the above issues:

• Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591.
• If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.
• Implement network segmentation.
• Require administrator credentials to install software.
• Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Use multifactor authentication where possible.
• Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Install and regularly update antivirus and anti-malware software on all hosts.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.

This isn’t the first time that the FBI and CISA have released a joint security advisory on attacks exploiting vulnerabilities in Fortinet systems. In October, 2020, the US agencies warned that APT actors had been chaining vulnerabilities in VPN products (Fortinet, Pulse Secure) and with Windows ZeroLogon in attacks aimed at federal and state, local, tribal, and territorial (SLTT) government networks, the agencies also reported attacks against non-government networks.

CISA and FBI have observed attacks carried out by APT actors that combined two the CVE-2018-13379 and CVE-2020-1472 flaws.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet FortiOS)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment