American multinational corporation Fortinet Inc.’s Fortinet FortiOS has been an active target for hacker groups, as has been reported by the U.S. Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Fortinet Inc. develops and sells cybersecurity solutions, including physical products such as VPNs, firewalls, and software and services such as anti-virus protection, intrusion prevention systems, and endpoint security components.

The particular cybersecurity advisory regarding the Fortinet FortiOS was published on April 2.

The advisory, though avoiding to take any direct names, described the hacking groups as typically indulged and state-sponsored advanced persistent threat (APT) groups.

What the Fortinet FortiOS vulnerabilities?

Detailing the active targeting of the Fortinet FortiOS, the APTs are seemingly scanning devices on ports 4443, 8443, and 10443 for three main vulnerabilities. These are tracked as the CVE-2018-13379, CVE-2020-12812, and the CVE-2019-5591.

The CVE-2018-13379 is a security vulnerability that facilitates a malicious actor to download system files through SSL VPN.

The CVE-2020-12812 is also an improper authentication vulnerability in the SSL VPN in FortiOS.

The third vulnerability, CVE-2019-5591 is a default configuration security flaw that permits a malicious actor to block sensitive data by imitating the LDAP server.

Also read,

The security advisory issued by the FBI and CISA has noted that these security flaws or vulnerabilities could be primarily targeted to access various government, commercial and technology services networks.

The advisory not only recommends patching these vulnerabilities as soon as possible but also alerts implicated organizations and agencies to adopt practical and necessary security measures including regularly backing up data, initiating a prompt recovery plan, using multi-factor authentication where available, as well as disabling unused remote access/Remote Desktop Protocol ports and monitor remote access/RDP logs.

Fortinet addresses the vulnerabilities:

As far as Fortinet Inc. is concerned they have addressed the security advisory published regarding their Fortinet FortiOS published by the BI and CISA. They have noted in a blog that no organization rudimentarily appreciates security vulnerabilities and flaws, especially an organization such as themselves.

“But we continually strive to improve processes, including actively testing our code and fixing issues detected both internally and externally to deliver a more robust solution to our customers,” stated Fortinet.

Increasing targeting:

The three security flaws targeting the Fortinet VPN enable a malicious actor to access valid credentials, bypass MFA, and man-in-the-middle authentication traffic to intercept credentials. 

Security experts are of the opinion that malicious actors are progressively targeting more critical external applications, and VPNs. 

Exploiting the security flaws and vulnerabilities in key infrastructure devices such as firewalls is a rather lucrative and advantageous method for attackers because it enables them to set up a foundation behind them.

The agencies and organizations in charge of surveying monitoring,  patching, updating, and controlling any configuration changes in such devices must keep them on a priority basis.