The Federal Bureau of Investigation has issued a flash warning about an unknown advanced persistent threat (APT) group conducting cyberattacks. The flash warning was written in a coordinated effort between the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS). The attack is being facilitated by exploiting vulnerabilities in various Fortinet products. The flash warning specifically states that FortiOS is the main point of attack as it has the vast majority of exploitable vulnerabilities. This is why the attack campaign is so effective, as FortiOS is considered by Fortinet to be “the foundation of the Fortinet Security Fabric, consolidating many technologies and use cases into a simplified, single policy and management framework.”
Attackers in the anonymous APT are accessing devices on ports 4443, 8443, and 10443, thanks to Fortinet CVE-2018-13379 vulnerabilities. Additionally, they are enumerating devices thanks to the vulnerabilities CVE-2020- 12812 and CVE-2019-5591. According to the flash warning, these actions are leading to the following post-exploitation activities:
Access gained by the APT actors can be leveraged to conduct data exfiltration, data encryption, or other malicious activity. The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.
There are thankfully numerous mitigation strategies that can be taken. The most important one is patching the Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Besides this, the flash warning recommends other strategies that should be common practice for an organization. This includes using multifactor authentication, keeping threat detection software up-to-date, regularly back-up data, require admin privileges to install software, and using secure networks with strong encryption.
Another suggestion that is given pertains specifically to organizations that do not use the Fortinet FortiOS. The FBI recommends, in this particular situation, “add the key artifact files used by FortiOS to your organization’s execution denylist.” This will prevent threat actors from running the program and exploiting its vulnerabilities.
Featured image: Flickr/Johannes Weber