Fortinet customers that have not yet patched a critical authentication bypass vulnerability that the vendor disclosed in October in multiple versions of its FortiOS, FortiProxy, and FortiSwitch Manager technologies now have an additional reason to do so quickly.
At least one threat actor, operating on a Russian Dark Web forum, has begun selling access to multiple networks compromised via the vulnerability (CVE-2022-40684), and more could follow suit soon. Researchers from Cyble who spotted the threat activity described the victim organizations as likely using unpatched and outdated versions of FortiOS.
Selling Access to Compromised Networks
Dhanalakshmi PK, senior director of malware and research intelligence at Cyble, says the company's available intelligence indicates the threat actor might have access to five major organizations via the vulnerability. Cyble's analysis showed the attacker attempting to add their own public key to the admin user's account on the compromised systems.
"An attacker can update or add a valid public SSH key to a targeted account on a system and can then typically gain complete access to that system," Dhanalakshmi says. "Additionally, the threat actor could launch other attacks against the rest of the IT environment with the foothold and knowledge gained through exploiting this vulnerability."
Cyble said a scan it conducted showed more than 100,000 Internet-exposed FortiGate firewalls, a substantial number of which are likely exploitable because they remain unpatched against the vulnerability
Fortinet publicly disclosed CVE-2022-40684 on Oct. 10, a few days after privately notifying customers of affected products about the threat. The vulnerability essentially gives an unauthenticated attacker a way to gain full control of an affected Fortinet product by sending it specially crafted HTTP and HTTPS requests. Security researchers have described the vulnerability as easy to find and trivial to exploit because all that an attacker needs to do is gain access to the management interface of a vulnerable system.
Popular Target for Attackers
When Fortinet disclosed the vulnerability, it urged customers to immediately update to patched versions of the affected products and warned of active exploit activity targeting the flaw. It also urged companies that could not update to immediately disable HTTPS administration on their vulnerable Internet-facing Fortinet products. The US Cybersecurity and Infrastructure Security Agency (CISA) promptly listed the flaw its catalog of known exploited vulnerabilities and gave federal civilian agencies until Nov. 1, 2022, to address the issue.
Much of the concern stemmed from the popularity of Fortinet products — and technologies from other vendors in the same network edge category — among threat actors. Soon after Fortinet disclosed the flaw, proof-of-concept code for exploiting it became publicly available, and security vendors reported large-scale scanning activity targeting the flaw. The number of unique IP addresses targeting the flaw soared in a matter of days from the single digits to more than 40.
And that number has grown. James Horseman, exploit developer at Horizon3ai, a security vendor that did much of the initial research around the vulnerability, says the number of unique IPs currently targeting the Fortinet flaw has risen to 112, according to data from GreyNoise, which tracks malicious scanning activity on the Internet.
"These Fortinet devices are typically Internet-facing for corporations and are seldom monitored," adds Zach Hanley, chief attack engineer at Horizon3ai. "This combination makes it great for sustained initial access into a network for threat actors who are looking to conduct reconnaissance, deploy ransomware, steal data, etc."
Threat actors have hammered away in similar fashion at other Fortinet flaws for the same reason. Notable examples include CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, a set of three flaws that Iran-backed threat groups were observed exploiting in numerous attacks. In April 2021, the FBI and CISA warned of other advanced persistent threat groups exploiting the same set of flaws in attacks against organizations in the US and elsewhere.