The U.S. Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have released a joint cybersecurity advisory warning that hacking groups are actively targeting vulnerabilities in Fortinet Inc.’s FortiOS.

While not naming which hacking groups that are targeting the operating system, the April 2 advisory describes them as advanced persistent threat groups, hacking groups that are typically sponsored by nation-states.

The APTs are said to be scanning devices on ports 4443, 8443 and 10443 for three vulnerabilities: CVE-2018-13379, a vulnerability that allows an unauthenticated attacker to download system files through SSL VPN; CVE-2020-12812, also an improper authentication vulnerability in SSL VPN in FortiOS; and CVE-2019-5591, a default configuration vulnerability that allows an attacker to intercept sensitive information by impersonating the LDAP server.

“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,” the advisory states.

Along with immediately applying patches for the three vulnerabilities, the advisory also recommends that organizations should take practical measures, including regularly backing up data, implementing a recovery plan, using multifactor authentication where available, disabling unused remote access/Remote Desktop Protocol ports and monitor remote access/RDP logs.

In response to the advisory, Fortinet said in an April 3 blog post that “no company is happy about security vulnerabilities, particularly a company like Fortinet operating in the security industry. But we continually strive to improve processes, including actively testing our code and fixing issues detected both internally and externally to deliver a more robust solution to our customers.”

“Attackers are increasingly targeting critical external applications, and VPNs have been targeted even more this last year,” Zach Hanley, senior Red Team engineer at pentesting company Horizon3.AI Inc., told SiliconANGLE. “These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass MFA and man-in-the-middle authentication traffic to intercept credentials. The common theme here is: Once they are successful, they will look just like your normal users.”

Dirk Schrader, global vice president, security research at information technology security and compliance software firm New Net Technologies Ltd., noted that exploiting vulnerabilities in key infrastructure devices such as firewalls is a critical path for attackers because it allows them to establish a foothold behind them. “For any organization, monitoring these devices, patching them, controlling any configuration changes on them is a priority job for the security teams,” he said.

Image: Fortinet