Attackers Targeting Fortinet FortiOS Servers Using Multiple Exploits

Home/Security Update, Targeted Attacks/Attackers Targeting Fortinet FortiOS Servers Using Multiple Exploits

    Attackers Targeting Fortinet FortiOS Servers Using Multiple Exploits

    The FBI and CISA warn — APT actors are scanning Fortinet FortiOS for vulnerabilities — to gain access for multiple high-level service networks.

    FortiOS Vulnerability

    In March 2021 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) observed Advanced Persistent Threat (APT) actors scanning devices for the following vulnerabilities:

    • CVE-2018-13379
      An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows.
      However, an unauthenticated attacker download system files via special crafted HTTP resource requests.
    • CVE-2019-5591
      A Default Configuration vulnerability in FortiOS 6.2.0 and below may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
    • CVE-2020-12812
      An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

    Also, the threat actors scanning the following ports 4443, 8443, and 10443 to gain access.

    Target on Government Networks

    The APT group may use abuse these security bugs to the networks of government, commercial, and technology services.

    However, APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.

    Notably, APT actors have historically exploited critical vulnerabilities to conduct:

    • distributed denial-of-service (DDoS) attacks
    • ransomware attacks
    • structured query language (SQL) injection attacks
    • spearphishing campaigns
    • website defacements
    • also, disinformation campaigns.

    Security Mitigation

    The FBI and CISA have also shared mitigation measures to block compromise attempts in these ongoing state-sponsored attacks, recommending:

    • Firstly, Patch the CVEs 2018-13379, 2020-12812, and 2019-5591 immediately.
    • If FortiOS is not used by your organization, add key artifact files used by FortiOS to organization’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
    • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.
    • Implement network segmentation.
    • Require administrator credentials to install software.

    and more.

    Follow Us on: Twitter, InstagramFacebook to get the latest security news!

    By | 2021-04-03T14:12:40+05:30 April 3rd, 2021|Security Update, Targeted Attacks|

    About the Author:

    FirstHackersNews- Identifies Security

    Leave A Comment