SUMMARY
In March of 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) were alerted to Advanced Persistent Threat (APT) actors scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379, and numerous devices for CVE-2020-12812 and CVE-2019-5591.
Historically, APT actors have leveraged critical vulnerabilities to perform distributed denial-of-service (DDoS) attacks, spearphishing campaigns, website defacements, disinformation campaigns, and structured query language (SQL) injection attacks. It is highly probable that these APT actors are attempting to exploit these vulnerabilities to gain access to government, commercial, and technology services networks.
TECHNICAL DETAILS
The FBI and CISA have evidence indicating these APT actors are using multiple CVEs to exploit Fortinet FortiOS vulnerabilities so they can infiltrate government, commercial, and technology service networks. The FBI and CISA believe that APT actors may be using CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591 to exploit Fortinet FortiOS vulnerabilities.
Using these CVEs, APT actors may be attempting to infiltrate networks in multiple critical infrastructures to gain the access necessary for subsequent data exfiltration and data encryption attacks. APT actors may use other CVEs or common exploitation techniques like spearphishing to gain sufficient access for planned attacks.
MITIGATIONS
We recommend companies and organizations do the following:
- Patch CVEs 2018-13379, 2020-12812, and 2019-5591 immediately.
- If your organization does not use FortiOS, add FortiOS key artifact files to your organization’s execution deny list. Attempts to install or execute this program and any associated files should be prevented.
- Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are unable to be modified or deleted from the primary data retention system.
- Implement network segmentation.
- Require administrator credentials to install the software.
- Implement a recovery plan to restore sensitive or proprietary data from a physically separate,
segmented, secure location (e.g., hard drive, storage device, the cloud). - Install updates/patch operating systems, software, and firmware as soon as updates/patches
are released. - Use multi-factor authentication where possible.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords
for different accounts. Implement the shortest acceptable timeframe for password changes. - Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote
access/RDP logs. - Audit user accounts with administrative privileges and configure access controls with least
privilege in mind. - Install and regularly update antivirus and anti-malware software on all hosts.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Focus on awareness and training. Provide users with training on information security
principles and techniques, particularly on recognizing and avoiding phishing emails.
CONTACT INFORMATION
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact Breadcrumb. This report originally appeared here.