Hackers Leverage Compromised Fortinet Devices to Distribute Ransomware

Threat actors have exploited Fortinet Virtual Private Network (VPN) devices to try and infect a Canadian-based college and a global investment firm with ransomware.

The findings come from eSentire’s Threat Response Unit (TRU), which reportedly stopped the attacks and shared information about them with Infosecurity ahead of publication.

eSentire said the threat actors tried to exploit a critical Fortinet vulnerability (tracked CVE-2022-40684) discovered by the company in October 2022.

“Fortinet described the security weakness as an authentication bypass vulnerability. If successfully exploited, an unauthenticated attacker could gain access to a vulnerable Fortinet device.”

In the advisory, Fortinet said they had seen only one incident where the vulnerability was being actively exploited, but a few days later, a functional proof-of-concept (POC) exploit code was publicly released.

“TRU first saw a slew of threat actors scanning the internet for vulnerable Fortinet devices,” eSentire wrote.

Conducting dark web hunts, TRU then said it observed hackers buying and selling compromised Fortinet devices in the underground markets, indicating widespread exploitation.

“Hacker sales ranged from individual organizations to bulk sales, with numerous buyers showing interest,” eSentire explained.

Once they noticed this activity, the team said it tracked down the technical details of the exploit and created log-based detections for Fortinet devices.

“Conducting threat hunts, TRU swept historical logs from the Fortinet devices looking for indicators of compromise,” reads the company’s report. “TRU identified several customers whose devices showed signs of recent threat activity.”

Among that activity were the two aforementioned cyber-intrusions, eSentire said.

“In both cases, once the hackers got a foothold into the targets’ IT environments via the Fortinet VPNs, the threat actors used Microsoft’s remote desktop protocol (RDP) service by abusing trusted Windows processes (also referred to as LOLBINs or living-off-the-land binaries) to achieve lateral movement.”

“The hackers also abused the legitimate encryption utilities, BestCrypt and BitLocker, which were originally intended to secure data – not hold it hostage,” eSentire continued.

According to the advisory, the use of a remote exploit, LOLBINs and legitimate encryption combined with no leak site make attribution difficult.

“However, the ransom note did follow the format of a ransomware observed in early 2022 known as KalajaTomorr,” warned eSentire, “an operation which has been observed deploying BestCrypt via RDP lateral movement.”

Commenting on the exploit is Keegan Keplinger, research and reporting lead for eSentire’s TRU research team. 

“Like any security technology, it is possible to misconfigure an SSL VPN, which can leave [organizations] susceptible to attacks,” said Keplinger.

“VPNs are Internet-facing, so they are easier for hackers to target. What makes them so valuable to threat actors is that VPN devices are often integrated with organization-wide authentication protocols, so access to a VPN device means access to the organization’s credentials.”

The TRU advisory comes a couple of months after the Bahamut spyware group was spotted compromising Android devices via fake VPN apps.