Chinese Group Trying to Exploit Old Fortinet SSH Backdoor

Hackers are exploiting a backdoor on Fortinet SSL VPN; update now

Ethical hacking experts report that, in recent days, threat actors have been scanning the Internet looking for non updated SSL VPNs developed by the company Fortinet to exploit a critical vulnerability.

The main objective of the operators of this campaign is the theft of login credentials and other confidential details. If successful, threat actors could gain full remote access to an organization’s networks.

A few days ago the presence of a vulnerability set in the company’s product was revealed and although Fortinet has been working on to mitigate the risk, malicious hackers have also advanced in their methods for exploiting these weaknesses.

To try to determine the potential scope of these hackers, ethical hacking experts performed an Internet scan, finding at least 480k Fortinet SSL VPN endpoints online, although it is estimated that a total of up to 500 thousand vulnerable endpoints could exist.

In addition to the broad reach, the cybersecurity community is concerned about the recent increase in attempts to exploit these flaws. For example, expert Troy Mursch of security firm Bad Packets claims that his company’s honeypots detected thousands of scans looking for endpoints exposed to this flaw, identified as CVE-2019-11510. “This is an arbitrary file read flaw that allows the leakage of sensitive information,” the expert said. “In addition, it is possible to exploit this vulnerability in conjunction with other known failures to remotely inject commands and access a VPN,” Mursch adds.

Last weekend, the expert mentioned that, after a thorough analysis, nearly 15k VPN servers were found exposed to this malicious campaign. “Our analyses found a total of 14,528 endpoints vulnerable to the exploitation of CVE-2019-11510, in addition to 2,300 unique networks with vulnerable computers in more than 100 countries,” the ethical hacking expert says.

Based on analysis, experts have determined that most organizations with non updated SSL VPN endpoints are in the U.S. For security reasons, experts did not reveal the names of vulnerable organizations, as the vulnerability is really easy to exploit. 

The company released a security alert along with updates to fix at least ten vulnerabilities; some of these failures could be exploited to gain remote access to a compromised device and eventually to the entire network of the attacked organization. Fortinet report highlights the CVE-2018-13379 vulnerability, which would allow unauthenticated hackers to download files from the FortiOS operating system using specially designed HTTP requests.

Finally, Fortinet asked all its users to upgrade their firmware to FortiOS 5.4.11 or later as a risk mitigation method. 

Unfortunately this is not the first time such vulnerabilities are found in enterprise network level systems. Experts in ethical hacking from the International Institute of Cyber Security (IICS) reported a vulnerability in the FortigateOS system a couple of years ago that, if exploited, fulfilled functions similar to those of a backdoor, which the company stated did not was in the original firmware design.