- Advanced persistent threat groups (APTs) are targeting vulnerabilities in Fortinet FortiOS systems to gain network access to customers in government, commercial and technology services, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned last week.
- The warning stems from a vulnerability originally identified in 2019 involving secure sockets layer (SSL) VPNs. The original warnings had several types of VPNs, however the FortiOS SSL VPNs in many cases remained unpatched despite regular security alerts from the company.
- Many corporate workers adopted VPNs to work remotely. But some companies failed to properly patch their systems, allowing threat actors to pursue these attack methods in stealth, while threat hunters were focused on other activity.
CISA and the FBI warned that APT groups have been observed scanning devices on ports 4443, 8443 and 10443 for CVE-2018-13379 and enumerated devices for CVE-2020-12812 and CVE-2019-5591. The agencies say the goal may involve engaging in data exfiltration or data encryption attacks in the future.
"All three vulnerabilities identified in this latest advisory follow a trend where both cybercriminals and APT groups are taking advantage of known, yet unpatched, vulnerabilities instead of investing in the development or acquisition of zero-day flaws," Satnam Narang, staff research engineer at Tenable, said via email.
Cybercriminals and APTs have targeted SSL VPN vulnerabilities over the years. The switch to remote work at the beginning of the COVID-19 pandemic made them even more attractive as the attack surface has expanded, Narang said.
The new FBI/CISA alert comes despite years of public and direct communications from Fortinet regarding the need for upgrades.
"The security of our customers is our first priority," Fortinet officials said through a spokesperson.
CVE-2018-13379 is an old vulnerability that was resolved in May 2019, according to the firm. The company said it issued blog posts on the vulnerability in August 2019 and July 2020 recommending upgrades and sent direct communications to customers.
CVE-2019-5591 and CVE-2020-12812 were resolved in July 2019 and July 2020, respectively.
The new warning marks the latest in a series of alerts and warnings from federal agencies about VPN security, and points out a larger concern for the industry. Analysts say traditional VPNs were not built for the modern security demands of a remote workforce at this scale.
During the beginning of the pandemic, companies sent thousands of workers home all at once and put tremendous demands on their bandwidth by using video conferencing and other productivity tools.
"VPN became the new infrastructure and nobody was prepared for it," said Rob Smith, research director at Gartner. VPNs were typically designed for a company to use for about 10% of a corporate workforce, however within weeks of the COVID-19 lockdown, millions of workers required access to enterprise data networks.
"Literally nobody I've talked to had the bandwidth to do two-way video calls for basically their entire remote workforce over a VPN," David Holmes, senior analyst at Forrester said. Companies have started to move away from traditional VPN technologies and are beginning to embrace more flexible and secure technologies like zero-trust network access or secure access service edge, he said.