Advanced Persistent Threat (APT) based nation-state actors are exploiting the security vulnerabilities in the Fortinet’s FortiOS Operating System impacting the company’s SSL VPN products, according to the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA).
According to an FBI and CISA cybersecurity warning released on Friday, the threat actors are scanning devices on ports 4443, 8443, and 10443, searching for unpatched Fortinet security implementations. APTs are specifically using CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812.
“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,” according to the alert. “APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.”
The CVE-2018-13379 security flaw in Fortinet FortiOS is a path-traversal issue in which an unauthenticated attacker can download system files via specially designed HTTP resource requests via the SSL VPN web portal.
The CVE-2019-5591 security vulnerability in FortiOS is a default-configuration bug that could allow an unauthenticated attacker on the same subnet to intercept crucial data by impersonating the LDAP server.
Lastly, CVE-2020-12812 is an improper-authentication flaw in FortiOS’ SSL VPN, which could grant a user to log in without being asked for the second factor of authentication (FortiToken) if their username’s case is modified.