FBI and CISA Release Bulletin Citing Hackers’ On-Going Efforts to Exploit Fortinet Vulnerabilities

Feb 10, 2022 4:44:00 AM

On Friday, April 2nd, the United States Federal Bureau of Investigation (FBI) and Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) released a joint bulletin titled APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks announcing that they had observed advanced persistent threat (APT) actors scanning devices and seeking to exploit vulnerabilities in Fortinet’s FortiOS.The FBI and CISA outline in the bulletin that they believe malicious threat actors are seeking to use Fortinet For2tiOS vulnerabilities—CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591—to forcefully attack and gain illegal access to multiple public and private sector targets in government and across the business landscape. The entities involved with these on-going attacks are using some or all of these CVEs to access networks and complete pre-positioning tactics for follow-on data exfiltration or data encryption attacks. These threat actors are likely to use additional CVEs and exploitation methods such as spearphishing to maliciously gain access to critical digital infrastructure in preparation for additional attacks. This news comes on the heels of a report released by researchers at Kaspersky Labs on Wednesday, April 7th titled Vulnerability in Fortigate VPN servers is exploited in Cring ransomware attacks linking Fortinet’s Fortigate VPN service with the newly discovered Cring ransomware variant that has been unleashed against European industrial companies. In this article, we will cover everything you need to know about recent events targeting Fortinet vulnerabilities and what can be done to mitigate persistent and on-going threats to secure your organization’s vital digital infrastructure.

Immediate Steps to Take to Mitigate Fortinet Vulnerabilities

The FBI and CISA have urged organizations to take the following steps to mitigate Fortinet vulnerabilities. It is important to note that even organizations that do not use Fortinet products are asked to take specific steps to ensure this on-going situation does not compromise mission-critical cybersecurity resilience. The following mitigation steps have been provided by the FBI and CISA in a bulletin available here. Organizations should take the following steps:

Use multi-factor authentication where possible.
Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.

Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
Install and regularly update antivirus and anti-malware software on all hosts.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.

Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591.
If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.
Implement network segmentation.
Require administrator credentials to install software.
Implement a recovery plan to restore sensitive or proprietary data from a physically separate segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.

Crimeware Outlook 2021: Ransomware On the Rise

Crimeware is enjoying a renaissance as of late with the high-profile ransomware variants REvil, Ryuk, Maze and Conti making news in recent months. Steve Morgan, Editor in Chief at Cybercrime Magazine released a report titled 2021 REPORT: CYBERWARFARE IN THE C-SUITE that projects the global market for cyberware will reach a value of $10.5 trillion as early as 2025. Cring is the latest in a string of devastating ransomware attacks to span the globe. Notably, in March, computer giant Acer was targeted by the REvil variant to the tune of $50,000,000. While at present this seems to be the highest ransom requested it is extremely challenging to confirm due to the nature of these attacks and the fact that many organizations have vested interest not to disclose vulnerabilities and exploits leading to events like these.

Cring is a crypto ransomware variant that encrypts data from business users and servers with AES-256 + RSA-8192 and then demands a 2 BTC ransom to return access to its original owners. This crypto ransomware variant is unleashed with files that are named cring.exe and Crypt3r. The malicious program works by gaining access to an enterprise network, and utilizing a tool such as Mimikatz to capture the account credentials of Windows users who have logged into the system previously. From here, attackers are able to compromise domain administrator accounts and then use tools such as Cobalt Strike backdoor and Powershell to distribute attacks across other programs found on the system. Once the malicious actors have seized control of vital data, they download a cmd script to actually launch Cring with the added detail of launching an execution script called “Kaspersky” to mask its true intent. Cring encrypts all data and destroys backups once it is launched. It accomplishes this by taking hold of Veritas NetBackup and the Microsoft SQL server. It also stops the SstpSvc service to make it much harder for administrators to employ remediation techniques. The crypto ransomware then works to end other key application processes inside Microsoft Office and the Oracle Database to further encrypt and remove backup of vital data making it impossible to decrypt files without access to a RSA private key held by the threat actors. This begins by first using an AES encryption key which is then further encrypted with an 8,192-bit RSA public key hard-coded into the malicious program’s executable file. Finally, once the encryption is complete the program drops a ransom note requesting 2 bitcoins be delivered to receive the key necessary to retrieve the files. So far, Cring has been used to attack industrial targets and control systems (ICS) but it seems possible malicious threat actors could be working to deploy this crypto ransomware on additional organizations in Europe and around the world. This further underscores why it is so essential to address on-going cyber threats with recommended mitigation techniques. It is too soon to know the full scope of Cring and how Fortinet services could further be exploited to unleash devastating and costly cybercrimes.