The FBI has newly issued a flash alert wherein it has been noted that APT( Advanced Persistent Threat) groups are still exploiting vulnerable Fortinet products that have unpatched security flaws.
FBI’s critical alert for Fortinet:
A noteworthy example of this is when an APT group recently exploited a Fortinet device to access a web server hosting the domain for a U.S. municipal government.
According to the FBI, the APT group created an account with a phony username under ‘elie’ to supplement and enable malicious activity in the US municipal government network
Formerly, the FBI issued a warning about three vulnerabilities in the Fortinet operating system, called FortiOS.
The FBI notes that the APT groups are ardently targeting “a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.”
In its flash alert, the FBI has prompted users of vulnerable Fortinet products to immediately patch the flaws to prevent attacks.
Fortinet’s FortiOS security flaws:
According to the FBI, the three Fortinet FortiOS vulnerabilities that are still being exploited are:
- CVE-2018-13379: An improper path name vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via specially crafted HTTP resource requests;
- CVE-2020-12812: An improper authentication vulnerability in SSL VPN affecting multiple FortiOS versions that enable malicious entities to successfully login without authentication;
- CVE-2019-5591: A default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating servers.
The FBI offered risk mitigation steps for Fortinet users that, beyond patching, include:
- Regularly back up data and password protect those backup copies.
- Implement network segmentation and have an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location – such as a hard drive, a storage device, or in the cloud.
- Disable unused remote access or remote desktop protocol ports and monitor these tools.
- Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
According to Fortinet, the three vulnerabilities had been resolved and issued patches for by the organization between August 2019 and July 2020, and patches were issued.