As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week there is a new critical alert that requires the mission-critical community’s immediate attention.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory documenting that numerous advanced persistent threats (APTs) have been seen as a result of wild scanning for three FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812). Also known as the Fortinet Operating System, the FortiOS platform integrates high-performing security and network components to deliver a consistent security posture across an organization’s entire infrastructure, including all networks, endpoints and clouds, according to the vendor. The vulnerabilities, if exploited, can allow unauthorized remote access to a network, which is particularly dangerous when APTs are involved. It is highly recommended at this time that any users of FortiOS products apply the necessary patches to remediate these vulnerabilities.
What is the threat?
According to the FBI and CISA, threat actors have been witnessed scanning for machines susceptible to the exploitation of these vulnerabilities, and “are likely exploiting these Fortinet FortiOS vulnerabilities … to gain access to multiple governments, commercial, and technology services networks.” These vulnerabilities represent a critical first step in the exploitation and compromise of any high-profile target, granting the threat actor access. At least one of these exploits has been identified as exploited in the wild (CVE-2018-13379) and was used to gain access and deliver the “Cring” ransomware in an investigation done by Kaspersky.
Why is this noteworthy?
The presence of three separate exploits being in FortiOS arguably is noteworthy enough, but when compounded by the FBI and CISA releasing a joint cybersecurity advisory, the stakes are raised dramatically. Given that this advisory states that the aforementioned FortiOS vulnerabilities are being exploited by APTs (the most dangerous and sophisticated threat actor classification), all caution must be taken to mitigate these vulnerabilities. While there has been exploitation witnessed in the wild, it appears that most activity right now involves information gathering, which results in a large amount of scanning for vulnerable devices on ports 4443, 8443 and 10443.
What is the exposure?
If exploited, these three vulnerabilities all result in unauthorized access. Needless to say, a dangerous APT having access to government/commercial/technology services networks is cause for alarm. The actions of an APT typically are grander in scale than just monetary gain. An APT typically is a nation state or state-sponsored group that is willing to spend prolonged periods of time on exploitation to cause the highest amount of damage. An APT may gain access to a network and simply lie in wait for extended periods of time until the ideal moment arrives to exfiltrate data, deliver ransomware, or reach any other malign goal they see fit.
What are the recommendations?
At this time, the clear recommendation is to immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591. Aside from that, the list of mitigations provided in the joint cybersecurity advisory are relatively standard. These range from regularly backing up data in secure offline locations to ensuring that user accounts have the minimal amount of privilege to function.