Threat Actors selling Fortinet access over the Darkweb
Multiple versions of Fortinet Products, including FortiOS, FortiProxy, and FortiSwitchManager, were affected by CVE-2022-40684. “An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” as mentioned in Fortinet Advisory.
While targeting affected versions of Fortinet products, an attacker takes advantage of a controlling mechanism in a function responsible for evaluating the affected devices’ access to the REST API functionality. While exploiting this vulnerability, the attacker adds an SSH key to the admin user, enabling access to SSH into the affected system as admin, as shown in the Tweet below.
An attacker can update or add a valid public SSH key to a targeted account on a system and can then typically gain complete access to that system. Additionally, the Threat Actor could launch other attacks against the rest of the IT environment with the foothold and knowledge gained through exploiting this vulnerability.
One of the online scanners shows that there are over 100 thousand FortiGate firewalls exposed over the internet as shown in Figure 2 that are likely under the scope of attackers and are vulnerable to CVE-2022-40684 if not patched yet.
A malicious attacker might utilize the vulnerability to perform the following actions to compromise a system further:
- Modify the admin users’ SSH keys to enable the attacker to log in to the compromised system.
- Add new local users.
- Update networking configurations to reroute traffic.
- Download the system configuration.
- Initiate packet captures to capture other sensitive system information.
- The sensitive system information, system configurations, and network details might be further distributed over the darkweb
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
Timeline of event
October 6: Issued email notification to the primary account owners of all potentially affected devices.
October 10: Vendor issued Vulnerability advisory
October 10: Horizon3 Researchers tweeted about the vulnerability
October 11: CISA adds Fortinet (CVE-2022-40684) vulnerability in its “Known Exploited Vulnerabilities Catalog”
October 13: Technical Blog and POC released in public domain/ Active exploitation starts
November 17: FortiOS VPN access being sold on cybercrime forum
One of the trends observed from the above timeline and past vulnerabilities is from the day when a vulnerability is disclosed in the public domain by official vendors and researchers. A fictional timer starts among researchers, hackers, and people involved in patching the vulnerabilities. A typical representation of the same can be observed in the figure below.
The entity that can reach its end objective first will decide whether the newly disclosed vulnerability significantly impacts the victim target organization, which might result in monetary, financial, and reputational loss or not. In the whole process of patching and exploiting Proof of Concepts, scripts distributed over cybercrime forums, open-source tools, etc., play a decisive role.
Distribution of initial access has played a vital role in some of the recent major ransomware attacks across the globe. Cybercriminals have been improving their tactics and acquiring sophisticated cybercrime tools and techniques to remain ahead of the LEA and cybersecurity community. Cyble has observed Initial Access Brokers (IABs) playing a notorious role in the organized cybercrime ecosystem.
Cybercriminals, including ransomware groups, have created this convenient arrangement to monetize their efforts, thereby reducing their risks and adding further layers of anonymity. IABs are a significant threat to enterprises, and monitoring such threats to avert business, financial and reputational loss is imperative.
Darkweb and Cyber Crime Activities
While during routine monitoring, researchers at Cyble observed a Threat Actor (TA) distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums, as shown in the figure below.
While analyzing the access (figure 5), it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the Threat Actor behind this sale exploited CVE-2022-40684.
Cyble – Global Sensor Intelligence
Cyble’s Global Sensor Intelligence (GIS) observed that attackers have been targeting Fortinet instances since October 17, 2022, as shown in the figures below.
The PUT request observed through GIS, sent by the attacker, is shown in the below figure.
1. Using the Forwarded header, an attacker is able to set the ‘client_ip’ to ‘127.0.0.1’.
2. The ‘trusted access’ authentication check verifies that the ‘client_ip’ is “127.0.0.1” and the ‘User-Agent’ is “Report Runner”, both of which are under the attacker’s control.
The authentication bypass vulnerability in Fortinet products allows an unauthenticated attacker to perform operations on the administrative interface. With large numbers of exposed assets that belong to private-public entities exposed over the internet, the vulnerability falls under the critical category.
Publicly distributed Proof of Concepts (POCs) and automation tools have made it more convenient for attackers to target victim organizations within a few days of the announcement of the new CVE. If security teams within the organization do not implement the patches and workarounds released by an official vendor, the risk of a successful cyber-attack increases exponentially.
Threat Actors (TA) are actively distributing access and leaks over darkweb and cybercrime forums by exploiting the known, and new vulnerabilities, the initial access distributed over darkweb has been key behind some of the major attacks recently. Darkweb and cybercrime forum monitoring can be considered critical pillars within an organization’s security posture.
Cyble actively investigates the latest CVEs, alerts, exploits, IABs, sensitive intelligence, etc., over the Surface web, Deep web, and Dark web, along with its network of Global Sensor Intelligence (GSI), which provides early intelligence that allows organizations to safeguard critical assets.
- Update affected products with the latest patch released by the official vendor.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keep critical assets behind properly configured and updated firewalls.
- Continuous monitoring and logging can help in detecting network anomalies early.
- Implementing proper access controls within the IT environment.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Implement secure backup, archiving, and recovery processes within the organization.
- Cyber security awareness training programs for employees within the organization.