The FBI and CISA have issued a joint cybersecurity advisory to inform everyone about APT actors scanning for Fortinet FortiOS VPN vulnerabilities. The agencies have observed the scanning for CVE-2018-13379 on ports 4443, 8443, and 10443, as well as the enumeration of devices for CVE-2020-12812 and CVE-2019-5591. The actors' apparent goal is to exploit these flaws to gain access to government, commercial, and tech service networks. All three of the identified flaws already have fixing patches available, so applying the updates on FortiOS should eliminate the danger.
If patching is impossible or if FortiOS isn’t used by your organizations directly, you are advised to add the product’s key artifact files to your execution deny list. In addition to that, follow a proper backup plan, implement network segmentation, require admin credentials to install software, and use MFA where possible. All user accounts with admin privileges should be regularly audited, software needs to be regularly updated, and remote desktop protocol ports should be monitored and even disabled if they are not actively used/needed.
The advisory doesn’t give any details about the origin of the APT, but it looks like the actors' goal is persistent and stealthy presence on critical networks. In the recent past, we covered reports about Iranian APT groups weaponizing similar flaws in FortiOS VPN within days after those were published.
Zach Hanley, Senior Red team engineer at Horizon3.AI told us:
As for the flows themselves, here are some details about them:
Since Fortinet has fixed all of the above in FortiOS 7.0, which also adds a range of new features as well as support for new technologies, we would suggest that everyone upgrades to the latest version of the product, if possible.