FBI warns that hacking groups are actively exploiting three Fortinet vulnerabilities

The Federal Bureau of Investigation (FBI) issued a report warning that a group of hackers sponsored by national states is operating a massive exploit campaign of three security flaws in FortiOS, the operating system of popular security firm Fortinet.

This report, issued in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), notes that attackers perform massive scans on ports 4443, 8443 and 10443 to find non updated deployments with security patches for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.

“Malicious hackers are likely to look for an opportunity to exploit these vulnerabilities to gain access to multiple networks of government, commercial, and technology services. Exploitation would allow denial of service (DoS) attacks, ransomware infections, phishing campaigns and SQL injection,” the report states.

The flaws were described as follows:

  • CVE-2018-13379: Traversal path vulnerability in which the SSL VPN portal allows an unauthenticated threat actor to download system files through specially designed HTTP resource requests
  • CVE-2019-5591: Default configuration flaw in FortiOS that would allow unauthenticated attackers on the same subnet to intercept potentially sensitive information posing as the LDAP server
  • CVE-2020-12812: Incorrect authentication flaw in SSL VPN that would allow users to log in successfully without being prompted to complete multi-factor authentication

In the event of exploiting these flaws, threat actors can perform lateral movement attacks against affected systems: “Hacking groups can use any of these three flaws to perform data extraction attacks, as well as employ social engineering methods to access critical infrastructure,” the report states.

This security alert follows the trend with which CISA and the FBI closed in 2020, when they issued ongoing reports of hacking groups exploiting unmediated vulnerabilities. Last October, agencies reported massive exploitation of various flaws in VPN solutions from firms such as Fortinet, Palo Alto Networks and Pulse Secure.

At the moment the agencies have not disclosed information about the hacking groups that are deploying these campaigns, although as usual the cybersecurity community has linked these reports with hackers from Russia and China.

The report concludes by adding some recommendations to prevent the exploitation of these flaws:

  • Install updates to fix CVE 2018-13379, 2020-12812 and 2019-5591
  • If you do not use FortiOS, the FBI  recommends users to add exploit-related files to the denial of execution list in vulnerable organizations
  • Regularly back up and set passwords for all backups, as well as implement mechanisms against copying or editing backups

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.