APT actors exploit vulnerabilities to gain initial access for future attacks.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Fortinet devices that Advanced Persistent Actors (APT’s) have been observed exploiting the following vulnerabilities:
- CVE-2018-13379 – Fortinet Path Traversal
- CVE-2020-12812 – Fortinet 2 Factor Authentication bypass
- CVE-2019-5591 – Fortinet Man-in-the-middle by LDAP impersonation
According to the ACSC the warning comes from the US Cybersecurity and Infrastructure Security (CISA) and the Federal Bureau of Investigation (FBI).
In March 2021, the FBI and the CISA observed Advanced Persistent Threat (APT) actors scanning devices on the devices listed.
It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks. APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.
The FBI and CISA also indicate APT actors are using multiple CVEs to exploit Fortinet FortiOS vulnerabilities to gain access to multiple government, commercial, and technology services networks.
The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks.
APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks, stated both organisations.
To mitigate risk organisation should:
- Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591
- If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organisation’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides. Implement network segmentation.
- Require administrator credentials to install software.
- Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Use multifactor authentication where possible.
- Constantly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update antivirus and anti-malware software on all hosts.
- Consider adding an email banner to emails received from outside your organisation.
- Disable hyperlinks in received emails.
- Focus on awareness and training.
- Provide users with training on information security principles and techniques, particularly on recognising and avoiding phishing emails.