Ransomware operators are exploiting Fortinet network devices that remain vulnerable to a critical authentication bypass vulnerability, according to research publicly released today by eSentire’s Threat Research Unit (TRU).
Fortinet first disclosed the vulnerability in question – tracked as CVE-2022-40684 – on 10 October 2022. It affects FortiOS, FortiProxy and FortiSwitchManager, which, if successfully exploited, would enable an unauthenticated actor to perform operations on the admin interface by sending specially crafted HTTP or HTTPS requests.
Fortinet said at the time of the disclosure that it was aware of an instance of the vulnerability having been exploited. However, according to eSentire, a functional proof-of-concept (PoC) exploit was circulating just three days later, after which a “slew” of threat actors began scanning the internet for vulnerable devices.
The TRU team said it had detected and shut down two attacks on its customers – one, a further education institution in Canada, and the other, a business services provider in the US. Both were hit by an undisclosed ransomware operator, and in both cases, the investigation led back to vulnerable Fortinet secure socket layer virtual private network (SSL VPN) devices that were being managed and monitored by third-party managed service providers (MSPs).
Once they had gained a foothold in the target environments, the threat actor abused Microsoft’s Remote Desktop Protocol (RDP) to achieve lateral movement, as well as legitimate encryption utilities BestCrypt and BitLocker. The overall modus operandi and ransom note were indicative of a relatively new group known as KalajaTomorr.
Keegan Keplinger, research and reporting lead for the eSentire TRU, told Computer Weekly that the use of an insecure VPN to spread ransomware should not, in and of itself, come as a surprise to anybody.
“SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organisation,” said Keplinger.
“Additionally, the tendency for these devices to be managed by a third party often means that the organisation and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs],” he added.
To this point, Keplinger explained that the TRU had also observed multiple parties buying and selling access to compromised Fortinet devices in the weeks after the initial disclosure. These sales ranged from individual targets to bulk sales of multiple potential victims – in one case, an IAB was observed selling bulk access on a monthly subscription basis, asking between $5,000 and $7,000.
Keplinger said the TRU’s research had shown that cyber criminals are always on the ball when it comes to exploiting vulnerabilities in well-used products. Fortinet, as a popular supplier of network security solutions, could be considered particularly at risk of having its technology exploited in such a way.
“A particular blind spot, in this case, was out-of-date Fortinet devices, managed by third parties. This creates a visibility gap for the organisation and their security providers – in cases we observed, this led to the Fortinet devices being leveraged by ransomware actors. You can’t get an endpoint agent on a Fortinet device, but they do have security logging functionality, which is what allowed us to track down and intercept devices that initial access brokers were sitting on,” said Keplinger.
“To detect intrusion actions, after that access has been sold, endpoint monitoring usually does the trick, and if your endpoint monitoring solution can quarantine endpoints, you can intercept attacks before they get the ransomware deployed,” he added.
Computer Weekly reached out to Fortinet for more information, but the organisation had not responded at the time of publication.
At the same time, defenders should be alert to the possibility of exploitation of a different vulnerability in the FortiOS SSL VPN, disclosed by France-based Olympe Cyberdefense just before Christmas. The heap-based buffer overflow tracked as CVE-2022-42475 could enable remote, unauthenticated attackers to execute arbitrary code.
Read More: news.google.com
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
Sui 
Hyperliquid 
Wrapped stETH 
Chainlink 
Avalanche 
Stellar 
Toncoin 
LEO Token 
Shiba Inu 
Bitcoin Cash 
Hedera 
WETH 
Litecoin 
USDS 
Polkadot 
Wrapped eETH 
Monero 
Bitget Token 
Binance Bridged USDT (BNB Smart Chain) 
Pepe 
Pi Network 
Ethena USDe 
Coinbase Wrapped BTC 
WhiteBIT Coin 
Uniswap 
Aave 
Bittensor 
Dai 
NEAR Protocol 
Aptos 
OKB 
Jito Staked SOL 
Tokenize Xchange 
Ondo 
BlackRock USD Institutional Digital Liquidity Fund 
Cronos 
Internet Computer 
Ethena Staked USDe