6 April 2021

US warns of attacks exploiting Fortinet FortiOS flaws to compromise government, enterprise networks


US warns of attacks exploiting Fortinet FortiOS flaws to compromise government, enterprise networks

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning that Advanced Persistent Threat (APT) actors are exploiting vulnerabilities in Fortinet FortiOS in ongoing attacks against commercial, government, and technology services networks.

The two agencies said that in March 2021 they had observed malicious actors scanning Fortinet FortiOS devices on ports 4443, 8443, and 10443 in attempts to exploit three vulnerabilities: CVE-2018-13379 (a path traversal vulnerability in the FortiOS SSL VPN web portal), CVE-2020-12812 (an improper authentication issue in FortiOS SSL VPN), and CVE-2019-5591 (an improper authentication issue affecting LDAP server).

“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks. APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns,” according to the alert.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”

To prevent such attacks organizations are advised to immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591, regularly back up data, air gap, and password protect backup copies offline, implement network segmentation, install updates/patch operating systems, software, and firmware as soon as updates/patches are released, disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs, audit user accounts with administrative privileges and configure access controls with least privilege in mind, regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.

Back to the list

Latest Posts

Member of FIN7 cybercrime group sentenced to 10 years in prison

Member of FIN7 cybercrime group sentenced to 10 years in prison

Fedir Hladyr served as a manager and systems administrator for FIN7.
19 April 2021
NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

Russia-linked hackers are using vulnerabilities in popular enterprise equipment to gain access to corporate networks.
19 April 2021
WordPress says it will treat Google’s FLoC ad tracking technology as security issue

WordPress says it will treat Google’s FLoC ad tracking technology as security issue

While FLoC is more private than cookies, security experts argue that the technology could pose a risk to privacy if not implemented right.
19 April 2021