FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers

Vulnerabilities in the Fortinet FortiOS operating system are being targeted by advanced persistent threat (APT) actors and are being used to gain access to servers to infiltrate networks as pre-positioning for follow-on data exfiltration and data encryption attacks.

In a recent Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency warned users of the Fortinet FortiOS to immediately patch three vulnerabilities, tracked under the CVE numbers CVE-2018-13379, 2020-12812, and 2019-5591.

Patches were released to correct the flaws in May 2019, July 2019, July 2020. Fortinet communicated with affected companies and published multiple blog posts urging customers to update the FortiOS to a secure version; however, some customers have yet to apply the patches to correct the flaws and are at risk of attack.

CVE-2018-13379 is a vulnerability due to improper limitation of a pathname to a restricted directory and is present in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. Under SSL VPN web portal, an unauthenticated attacker can download system files by sending specially crafted HTTP requests to a vulnerable server. Previously, Russian, Chinese, and Iranian APT groups have abused the vulnerability in an attempt to compromise U.S. election support systems.

CVE-2020-12812 is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which could be exploited to allow a user to login successfully without being prompted for a second authentication factor – FortiToken – if they changed the case of their username.

CVE-2019-5591 is a default configuration vulnerability in FortiOS which could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

The FBI/CISA warn that APT groups are enumerating servers that have not been patched to fix CVE-2020-12812 and CVE-2019-5591 and are scanning for devices vulnerable to CVE-2018-13379 on ports 4443, 8443, and 10443. The vulnerabilities have been exploited to gain access to multiple government, commercial, and technology services networks. Other CVEs and exploitation techniques such as spear phishing may also be used in attacks to gain access to critical infrastructure networks.

In addition to applying the patches to correct the flaws, the FBI/CISA recommend several other steps be taken to prevent the exploitation of vulnerabilities. These include adding key artifact files used by FortiOS to execution deny lists to prevent attempts to install and run the vulnerable program and its associated files. Systems should also be configured to require administrator credentials to be used to install software.

Multi-factor authentication should be implemented where possible, good password hygiene maintained, and audits should be conducted of accounts with admin privileges. All unused remote access/RDP ports should be disabled, and remote access/RDP logs should be audited.

Since phishing attacks are possible, messages from external sources should be flagged and hyperlinks in emails disabled. It is also important to educate the workforce on information security and how to identify phishing emails. Antivirus software should be installed on all devices and be kept up to date. Network segmentation will help to limit the harm that can be caused if a network is breached.

Since extortion and data deletion attacks may occur, it is important to regularly backup data and store a backup copy on an air-gapped device and password-protect the backup. A recovery plan should also be implemented to restore sensitive data from a physically separate, segmented, secure location.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.