On Thursday, the FBI issued a warning regarding FortiGate, the popular next generation firewall (NGFW) by Fortinet. Appliance vulnerabilities are being actively exploited by a advanced persistent threat group (APT). You can find the full flash report here.
"The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) previously warned in April 2021 that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591."
"APT actor group almost certainly exploited a FortiGate appliance to access a webserver hosting the domain for a US municipal government."
Fortinet, in response to ZDNet, stated that "CVE-2018-13379 is an old vulnerability resolved in May 2019" that the company immediately issued a PSIRT advisory for. The company said it also "communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade."
Mickey Bresman, Co-founder and CEO, Semperis weighed-in on this latest vulnerability exploitation in the wild.
“While you can't prevent a zero day, monitoring and actively blocking non-authorized changes to the organizational identity store will minimize the damage and help to contain a breach. Three steps you can take to shore up your defenses: Invest resources in closing up common security gaps in Active Directory (such as reviewing permissions policies), continually scan your environment for Indicators of Exposure and Indicators of Compromise, and ensure that you can quickly recover AD to a clean, malware-free state in the event of a cyberattack. Minimizing the attack surface and hardening your AD will mean that not every network breach directly leads to losing control over your AD.”
###