The US CISA and FBI have issued a joint advisory late last week, which warns about APT hacking groups targeting FortiOS, the special software powering FortiGate firewalls. While the advisory didn’t specifically name the threat groups, it said they’re targeting three vulnerabilities in FortiOS, which can let hackers breach in and intercept communications.
APTs Attack on FortiOS
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) of the US has issued a joint advisory on April 2nd, which mentions the latest wave of attacks observed against the FortiOS. The advisory says the hacker groups are scanning for ports 4443, 8443, and 10443 for the following vulnerabilities;
- CVE-2020-12812: An authentication vulnerability in SSL VPN of FortiOS.
- CVE-2018-13379: A vulnerability that lets an unauthenticated attacker download the system files via SSL VPN, and
- CVE-2019-5591: a configuration vulnerability that lets an attacker intercept sensitive data by impersonating the LDAP server.
Since all these three fairly critical, the FBI and CISA warn organizations to patch them immediately to avoid turning as victims. While the advisory didn’t specifically name who those hacking groups are, they mentioned that APTs are the ones. These are the specialized hacking groups backed by the nation-state.
APTs often target other government organizations for reconnaissance purposes. They aim at stealing sensitive data like IP and disrupt the targeted nations’ plans. Besides the government agencies, these APT actors are trying to exploit the above vulnerabilities to gain access to “commercial and technology services networks,” the advisory reads.
A patch for these vulnerabilities is made available by the maker and is recommended to be applied immediately. Besides just updating, the FBI and CISA have also recommended organizations to take additional safety measures like following a recovery plan, backing up the data regularly, using 2FA wherever possible, restricting RDP ports, and monitoring the RDP logs periodically.