Headline
Cyberattackers Continue Assault Against Fortinet Devices
Patched earlier this month, a code-execution vulnerability is the latest FortiOS weakness to be exploited by attackers, who see the devices as well-placed targets for initial access operations.
In early March, a customer called in Fortinet’s incident response team when multiple FortiGate security appliances stopped working, entering an error mode after the firmware failed an integrity self test.
It was a cyberattack, which led to the discovery of the latest vulnerability in Fortinet devices, a medium severity but highly exploitable bug (CVE-2022-41328) that allows a privileged attacker to read and write files. The threat group, which Fortinet labeled as an “advanced actor,” appeared to be targeting government agencies or government-related organizations, the company stated in a recent analysis of the attack.
Yet the incident also shows that attackers are giving Fortinet devices significant attention. And the attack surface is wide: So far this year, 60 vulnerabilities in Fortinet products have been assigned CVEs and published in the National Vulnerability Database, double the rate at which flaws were disclosed in Fortinet devices in the previous peak year, 2021. Plenty are critical, too: Earlier this month, Fortinet revealed that a critical buffer underwrite vulnerability in FortiOS and FortiProxy (CVE-2023-25610) could allow a remote unauthenticated attacker to run any code on a variety of appliances.
Interest is high, as well. In November, for example, one security firm warned that a cybercriminal group was selling access to compromise FortiOS devices on a Russian Dark Web forum. But whether the vulnerabilities have spurred attention, or vice versa, is moot, says David Maynor, senior director of threat intelligence at Cybrary, a security training firm.
“Attackers smell blood in the water,” he says. “The number and frequency of remotely exploitable vulnerabilities over the last two years has increased at a breakneck speed. If there is a nation-state group that isn’t integrating Fortinet exploits, they are slouching on the job.”
Like other network security appliances, Fortinet devices inhabit the critical point between the Internet and internal networks or applications, making them a valuable target to compromise for attackers looking for a foothold into corporate networks, the research team from threat intelligence firm GreyNoise Research said in an email interview with Dark Reading.
“A large majority of Fortinet devices are edge devices, and as a result are commonly Internet facing,” the team said. “This is true of all edge devices. If an attacker is going to go through the effort of an exploitation campaign the volume of edge devices make[s] for a valuable target.”
The researchers also warned that Fortinet is not likely alone in the crosshairs of attackers.
“All edge devices from any vendors will have vulnerabilities sooner or later,” GreyNoise Research said.
Fortinet Attack Detailed
Fortinet described the attack on its customers’ devices in some detail in its advisory. The attackers had used the vulnerability to modify the device firmware and add a new firmware file. The attackers gained access to the FortiGate devices via the FortiManager software and modified the devices’ start-up script to maintain persistence.
The malicious firmware could have allowed for data exfiltration, the reading and writing of files, or given the attacker a remote shell, depending on the command the software received from the command-and-control (C2) server, Fortinet stated. More than a half dozen other files were modified as well.
The incident analysis, however, lacked several critical pieces of information, such as how the attackers gained privileged access to the FortiManager software and the date of the attack, among other details.
When contacted, the company issued a statement in response to an interview request: “We published a PSIRT advisory (FG-IR-22-369) on March 7 that details recommended next steps regarding CVE-2022-41328,” the company said. “As part of our ongoing commitment to the security of our customers, Fortinet shared additional detail and analysis in the March 9 blog post and continue to advise customers to follow the guidance provided.”
Overall, by finding and disclosing the vulnerability, and publishing an analysis of their incident response, Fortinet is doing the right things, the GreyNoise Research team told Dark Reading.
“They published a detailed analysis two days later including an executive summary, as well as a massive [number] of accurate details about the nature of the vulnerability and the activity of the attacker, providing defenders [with] actionable intelligence,” the team stated. “Fortinet chose to clearly, timely, and accurately communicate about this vulnerability.”
Related news
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
The zero-day exploitation of a now-patched medium-security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.
By Deeba Ahmed According to researchers, multiple Fortinet products were impacted by this vulnerability, including FortiManager, FortiGate, and FortiAnalyzer. This is a post from HackRead.com Read the original post: Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. "A buffer underwrite ('buffer underflow') vulnerability in
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.