FBI and CISA Warn About APTs Targeting FortiOS VPN Vulnerabilities

• A new CISA and FBI advisory informs about an undefined APT group targeting FortiOS VPN flaws.
• The three vulnerabilities mentioned in the report have been fixed for quite some time now.
• The actors appear to be targeting government, commercial, and IT service providers for espionage purposes.

The FBI and CISA have issued a joint cybersecurity advisory to inform everyone about APT actors scanning for Fortinet FortiOS VPN vulnerabilities. The agencies have observed the scanning for CVE-2018-13379 on ports 4443, 8443, and 10443, as well as the enumeration of devices for CVE-2020-12812 and CVE-2019-5591. The actors' apparent goal is to exploit these flaws to gain access to government, commercial, and tech service networks. All three of the identified flaws already have fixing patches available, so applying the updates on FortiOS should eliminate the danger.

If patching is impossible or if FortiOS isn’t used by your organizations directly, you are advised to add the product’s key artifact files to your execution deny list. In addition to that, follow a proper backup plan, implement network segmentation, require admin credentials to install software, and use MFA where possible. All user accounts with admin privileges should be regularly audited, software needs to be regularly updated, and remote desktop protocol ports should be monitored and even disabled if they are not actively used/needed.

The advisory doesn’t give any details about the origin of the APT, but it looks like the actors' goal is persistent and stealthy presence on critical networks. In the recent past, we covered reports about Iranian APT groups weaponizing similar flaws in FortiOS VPN within days after those were published.

Zach Hanley, Senior Red team engineer at Horizon3.AI told us:

As for the flows themselves, here are some details about them:

• CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
• CVE-2019-5591: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
• CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Since Fortinet has fixed all of the above in FortiOS 7.0, which also adds a range of new features as well as support for new technologies, we would suggest that everyone upgrades to the latest version of the product, if possible.