Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access

Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products.

Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products.

In early October, Fortinet addressed the critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies.

The company explained that an attacker can exploit the vulnerability to log into vulnerable devices.

“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the customer support bulletin issued by the company.

The company urged customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw.

The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0

The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2.

The company also provides a workaround for those who can’t immediately deploy security updates.

Customers that are not able to upgrade their systems should restrict access to their devices to a specific set of IP addresses.

On October 18, Fortinet confirmed the critical authentication bypass vulnerability is being exploited in the wild.

“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access”” continues the advisory.

A proof-of-concept (PoC) exploit code for the CVE-2022-40684 flaw has been released online. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.

In October, the Shadowserver Foundation reported that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US.

Now Cyble researchers reported more than 100,000 FortiGate firewalls accessible from the internet that may be targeted by threat actors if not patched yet.

Threat actors might exploit the vulnerability to perform malicious activities such as:

• Modify the admin users’ SSH keys to enable the attacker to log in to the compromised system.
• Add new local users.
• Update networking configurations to reroute traffic.
• Download the system configuration.
• Initiate packet captures to capture other sensitive system information.
• The sensitive system information, system configurations, and network details might be further distributed over the darkweb

“While during routine monitoring, researchers at Cyble observed a Threat Actor (TA) distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums,” reads the analysis published by Cyble. “

“While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the Threat Actor behind this sale exploited CVE-2022-40684.”

Cyble researchers observed that threat actors have been targeting Fortinet instances since October 17, 2022.

“The authentication bypass vulnerability in Fortinet products allows an unauthenticated attacker to perform operations on the administrative interface. With large numbers of exposed assets that belong to private-public entities exposed over the internet, the vulnerability falls under the critical category.” concludes the post. “Publicly distributed Proof of Concepts (POCs) and automation tools have made it more convenient for attackers to target victim organizations within a few days of the announcement of the new CVE.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

[adrotate banner=”5″]

[adrotate banner=”13″]