Penetration tester Horizon3.ai identifies Fortinet exploit source, assists those checking for potential attacks
In early October, cybersecurity company Fortinet Inc. made headlines after a severe vulnerability was exposed in several of its productions.
The zero-day flaw allowed potential remote attackers to access on-premises management controls on Fortinet’s core products FortiOS, FortiSwitchManager and FortiProxy, causing potentially catastrophic damages to affected users.
Penetration tester company Horizon3.ai Inc. was one of the key players in assisting potential victims, using its expertise to identify the source of the vulnerability by replicating it.
“We want to be to have a tool that can be used to exploit our customer system safely to prove that they’re vulnerable, so then they can go and fix it,” said James Horseman (pictured, right), exploit developer at Horizon3.ai. “The earlier that we have these tools to exploit, the quicker our customers can patch and verify that they are no longer vulnerable. So that’s the drive for us to go after these breaking exploits.”
Horseman and Zach Hanley (pictured, left), chief attack engineer at Horizon3.ai, spoke with theCUBE industry analyst John Furrier during an exclusive CUBE Conversation broadcasted on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how they discovered the vulnerability, how they helped those possibly affected, and how the vulnerability could have been used to launch attacks.
Identification through replication
Horizon3.ai first heard about the vulnerability on Twitter, immediately noticing it affected Fortinet’s key products. The team was able to replicate the exploit after running both the patched and unpatched versions of the product and highlighting the differences.
“Because we already had the exploit, what we did was we exploited our test Fortinet devices in our lab,” Hanley explained. “And we collected our own indicators of compromise and wrote those up. And then we released them … so that people would have a better indication to judge their environments if they’ve been already exploited in the wild by this issue.”
This specific vulnerability allows attackers to make any request they wanted in a remote system as if they were an administrator. The vulnerability was a natural consequence of a growingly complex system and not an intentional channel of attack, according to Hanley. Cyber terrorists still seek out these unintentional vulnerabilities to conduct their attacks, especially on vulnerabilities that infiltrate edge devices.
“These edge devices are super important, and they’re going to get a lot of eyes from attackers trying to figure out different ways to get into the system,” Hanley said. “And as you saw, this was in the wild exploited, and that’s how Fortinet became aware of it. So, obviously, there are some attackers out there doing this right now.”
Here’s the complete video interview, one of many CUBE Conversations from SiliconANGLE and theCUBE:
Photo: SiliconANGLE
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU