The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI recently issued a warning about three security vulnerabilities found within the SSL VPN service (owned by Fortinet). The security flaws are currently being exploited by Advanced Persistent Threat (APT) attackers.
According to the warning, which was posted made on Friday last week, the hackers target the 8443, 4443, and 10443 ports of the attacked devices, seeking to exploit the three known vulnerabilities, which have been tracked as CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379.
The supposed goal of the attackers is to acquire access to different private and public service networks. In the past, similar attacks have been performed as the first stage of DDoS (Denial of Service) attacks, attacks with Ransomware viruses, SQL (Structured Query Language) campaigns, phishing, defacement of important sites, and campaigns for spreading misinformation among the citizenry.
The CVE-2018-13379 vuln is known for allowing attackers to bypass authentication requirements and extract system data.
CVE-2019-5591 is default-configuration bug in the FortiOS of SSL VPN that hackers use to intercept data transfer by disguising as an LDAP server.
The third security flaw, CVE-2020-12812, can be used to circumvent the two-factor authentication by changing the attacker’s username case.
According to Zach Hanley, a specialist at Horizon3.AI, the number of attackers who are targeting critical external applications (such as VPNs) has increased significantly during the last year. The three SSL vulns reported by CISO and the FBI are currently being used to intercept data transfer by enabling the hackers to bypass the MFA (multifactor authentication) and obtain valid credentials and man-in-the-middle authentication.
The end result of such attacks is that once the hackers have bypassed the security measures that are in place, they’d be indistinguishable from regular users. Due to the big number of Fortinet users, the three SSL bugs are very popular among cybercriminals and get exploited frequently.
According to Satnam Narang, a Tenable research engineer, the CVE-2018-13379 vuln has been commonly used by cybercriminals ever since it first became publicly known back in 2019. This flaw even made it in the Top 5 security vulnerabilities of 2020 list by Tenable.
In the FBI/CISA report, it wasn’t made clear which APT group or groups are behind the recent exploitation of the three vulnerabilities.
Overview of the attacks
According to the warning from Friday, the attackers could be using one or more of the CVEs to acquire access to the networks of important infrastructures from different sectors and move laterally from there. The end-goal of the attack could vary. After successful infiltration, the APTs could try to extract sensitive data for different purposes or deploy encryption malware (Ransomware) for blackmailing. Spear-phishing is also a possible follow-up of an attack that started with the exploitation of either of those CVE flaws.
CISA and FBI also emphasize on the importance of patching-out known security vulnerabilities. In many instances of cyberattacks, the reason the attack is successful isn’t that the exploited flaw was unknown but rather that the flaw didn’t get patched-out on time.
One additional factor that has helped the hackers during the past year is the increased use of VPNs due to the shift towards remote work since it leads to a similar increase in the number of potential targets that the attackers could focus on. Because of this, now, more than ever before, it is critical that organizations, both public and private, take measures to secure their networks and infrastructures and introduce an adequate patching policy that ensures all connected devices and the software installed on them are receiving the latest security patches as soon as possible. This, alongside user education, are the two main factors that could ensure reliable virtual security.
Precaution measures and security tips
Here are some of the protective measures suggested by CISA and the FBI that could help network administrators prevent hacker infiltration of their networks:
- Install the security patches that resolve the three flaws mentioned flaws (CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379)
- Make sure that you have at least one offline backup of important data which cannot be accessed from within the primary system and update that backup on a regular basis.
- Only allow users with Administrator privileges to install/change/uninstall software.
- If your organization doesn’t use the FortiOS system, blacklist FortiOS files so that they cannot be run in your network, thus preventing the possibility of hackers attacking you through the mentioned FortiOS CVE flaws.
- Make sure that new software and OS updates are installed on all devices in the network as soon as they are released.
- Try to implement two-factor (or higher) authentication at as many points as possible.
- Change account and network system passwords on a regular basis (preferably within a short time span) and try not to use the same password (or one close to it) more than once.
- Always have a clear and streamlined contingency plan for restoration of critical data (you can implement a separate physical hard-drive and/or a cloud storage as a part of the plan).
- Never keep remote access or Remote Desktop Protocol ports enabled if they aren’t being used and also monitor logs from RDPs/remote access ports.
- Consider a network-wide disable of links in received email letters.
- Consider adding a banner to emails that don’t come from your organization.
- Give Admin accounts the bare minimum of privileges – only what’s necessary for the employee to be able to complete their specific tasks.
- Do not overlook the importance of employee training and awareness. Make sure to educate all employees about the tactics and methods used by cybercriminals and the ways to recognize and avoid them. Consider organizing training programs and courses on a regular basis so that employees are kept up to date with the latest security dangers and pitfalls.