A hacker has published a list of one-line exploits that can exfiltrate VPN credentials from nearly 50,000 Fortinet VPN devices. The list of vulnerable targets contains domains that belong to financial institutions and government organizations across many countries including Japan, the US, China, France, India, South Korea, United Kingdom, Australia, Hong Kong, Malaysia, Germany, and Argentina. Attackers have been leveraging a vulnerability tracked as CVE-2018-13379 affecting a wide range of unpatched Fortinet FortiOS SSL VPN devices.
This report contains observations of recent attacks, threat actor attribution, and a detailed analysis of exploitation techniques.
CYFIRMA Risk Rating for this advisory is: HIGH
The following presents the details of recent attacks that have been observed utilizing this vulnerability.
Threat Actor(s): APT33, APT34, and APT39
CVE-ID(s): CVE-2019-11510, CVE-2019-1579, CVE-2018-13379, CVE-2019-19781
Target(s): IT, Telecommunication, Oil and Gas, Aviation, Government, and Security Sectors (worldwide including Israel)
Objective: Steal sensitive information, Implant backdoors,
Technique: In February 2020, researchers have observed Iranian state-sponsored hackers targeting several organizations across Israel and around the world for the last 3 years. This campaign has been dubbed as Fox Kitten wherein attackers have been primarily leveraging unpatched VPN vulnerabilities including Pulse Secure Connect (CVE-2019-11510), Palo Alto Networks’ Global Protect (CVE-2019-1579), Fortinet FortiOS (CVE-2018-13379), and Citrix (CVE-2019-19781) to penetrate and exfiltrate information from the infected systems. After gaining an initial foothold, the infected systems were observed communicating with C2 servers to download a series of custom VBScript files that can be leveraged to install backdoors. It was seen that the backdoor code was downloaded in chunks to evade detection by antivirus solutions installed on the victim’s system.
Moreover, after gaining lateral movement capabilities, threat actors executed the backdoor to scan the infected system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection. This connection was established via a self-developed tool called POWSSHNET or opening a socket-based connection to a hardcoded IP address. Later in Sep 2020, the Iranian state-sponsored hacking group behind this campaign was noticed selling access to compromised corporate networks on an underground hacking forum.
CVE-ID(s): CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2019-9670
Threat Actor: APT29, Cozy Bear
Target(s): Academic and Pharmaceutical Research Institutions (worldwide including the U.S.)
Objective: Stealing information and intellectual property related to the development and testing of COVID-19 vaccines
Technique: Throughout 2020, APT29 has been seen targeting multiple entities that are working to develop the COVID-19 vaccine across the globe. To carry out this attack campaign, the threat actor has been abusing vulnerabilities including Citrix code-injection bug(CVE-2019-19781); a publicized Pulse Secure VPN flaw (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670). Attackers have been abusing these security flaws with an intent to gain initial access to targets, along with spear-phishing to gain authentication credentials to internet-accessible login pages for target entities.
After being established in a network, the threat actor uses malware dubbed as WellMess and WellMail, to carry out further operations on the infected system and steal data. WellMess was initially spotted in July 2018 and it supports HTTP, TLS, and DNS for communications. WellMail is a lightweight malware that is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server. Additionally, the threat actor was also observed leveraging another malware known as ‘SoreFang’. It is a first-stage downloader that uses HTTP to steal victim information and download second-stage malware.
CVE-ID(s): CVE-2019-11510, CVE-2018-13379, CVE-2019-1579, CVE-2019-19781, CVE-2020-2021, CVE-2020-5902
Objective: Deploy ransomware, perform cyber-espionage campaigns
Technique: During the second half of 2020, the new wave of ransomware attacks relying on an approach defined as “double extortion” was observed. In particular, attackers were noticed actively exploiting multiple VPN vulnerabilities such as CVE-2019-11510, CVE-2018-13379, CVE-2019-1579, CVE-2019-19781, CVE-2020-2021, CVE-2020-5902 to inject ransomware as well as to carry out cyber-espionage campaigns by state-sponsored actors. Additionally, it was noticed that threat actors have modified their modus operandi and were seen selecting their victims to abuse vulnerable internet-facing systems to break into the target’s network. This mechanism would allow the attackers to establish a footprint, inject the malicious payload, and ensure that the infection distributes rapidly across the entire organization.
CVE-ID(s): CVE-2020-1472, CVE-2018-13379
Target(s): U.S. presidential elections
Objective: To gain initial access and compromise government networks
Technique: In Oct 2020, attackers were observed using a Fortinet vulnerability ( CVE-2018-13379) to gain initial access to the targeted entities. Alongside, Microsoft’s severe privilege-escalation flaw (CVE-2020-1472) dubbed “Zerologon” was also used to escalate privileges and gain access to Windows AD servers. Moreover, attackers were also observed leveraging the opensource tools including Mimikatz and the CrackMapExec to acquire valid account credentials from AD servers.