The FBI and CISA issued a joint statement warning for attacks by APT hackers targeting Fortinet FortiOS servers, using multiple exploits. Malicious agents are actively exploiting Fortinet FortiOS servers vulnerabilities CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591.
The FBI and CISA warnings state the following:
"In March 2021, the FBI and CISA observed that APT hackers were scanning devices at ports 4443, 8443 and 10443 for vulnerabilities CVE-2018-13379, and numbered devices for vulnerabilities CVE-2020-12812 and CVE-2019-5591 . "Malicious agents are likely to seek out these vulnerabilities in order to gain access to government, commercial and technology service networks."
Both services warn that APT hackers may use any or all of the above vulnerabilities to gain access to networks and critical infrastructure in many industries. Once they have access to the target networks, attackers can prepare the ground for future malicious activities, such as data theft or data encryption attacks. In addition, hackers can use other vulnerabilities or common exploitation techniques - such as spear phishing - to gain access to critical infrastructure networks for subsequent attacks.
See also: Portable VPN protects your internet data
The warning also includes mitigation measures to safeguard systems from ongoing attacks that exploit these vulnerabilities.:
- Repair CVE 2018-13379, 2020-12812 and 2019-5591 vulnerabilities immediately.
- If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization refusal list. Attempts to install or run this program and its associated files should be avoided.
- Make regular backups and apply password protection to offline backups. Make sure that copies of critical data are not accessible for modification or deletion from the primary system where the data is located.
- Apply network segmentation.
- Demand credentials administrator for software installation.
- Implement a recovery program to recover sensitive or proprietary data from a physically separate, fragmented, secure location (e.g., hard disk, storage device, cloud).
- Apply updates / patches to operating systems, software and firmware as soon as they are released.
- Use multi-factor authentication (MFA) where possible.
- Regularly change passwords on network systems and accounts, and avoid reusing passwords on different accounts. Apply the shortest acceptable time frame for password changes.
- Disable Remote Access / Remote Desktop Protocol (RDP) ports and watch Remote Access / RDP logs.
- Check user accounts with administrator privileges and configure access controls for less privilege.
- Install and regularly update antivirus and malware protection software on all servers.
- Consider adding e-mail banner in emails received outside your organization.
- Disable hyperlinks to received emails.
- Focus on awareness and education. Provide users with training on information security principles and techniques, in particular on identifying and avoiding phishing emails.
This is not the first time the FBI and CISA have issued joint security advice on attacks that exploit vulnerabilities in Fortinet systems. In October 2020, US services warned that APT hackers were exploiting vulnerabilities in VPN products (Fortinet, Pulse Secure) and Windows ZeroLogon in attacks targeting both government and service networks and non-government networks.
The FBI and CISA also observed attacks by APT hackers exploiting two vulnerabilities - CVE-2018-13379 and CVE-2020-1472.
Source of information: securityaffairs.co