Incidents, attributions, and exploitation techniques for path traversal flaw in Fortinet FortiOS SSL VPN devices

Incidents, attributions, and exploitation techniques for path traversal flaw in Fortinet FortiOS SSL VPN devices
First published on 16 Dec 2020

A hacker has published a list of one-line exploits that can exfiltrate VPN credentials from nearly 50,000 Fortinet VPN devices. The list of vulnerable targets contains domains that belong to financial institutions and government organizations across many countries including Japan, the US, China, France, India, South Korea, United Kingdom, Australia, Hong Kong, Malaysia, Germany, and Argentina. Attackers have been leveraging a vulnerability tracked as CVE-2018-13379 affecting a wide range of unpatched Fortinet FortiOS SSL VPN devices.

This report contains observations of recent attacks, threat actor attribution, and a detailed analysis of exploitation techniques.

CYFIRMA Risk Rating for this advisory is: HIGH

The following presents the details of recent attacks that have been observed utilizing this vulnerability.

Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide

Threat Actor(s): APT33, APT34, and APT39

CVE-ID(s): CVE-2019-11510, CVE-2019-1579, CVE-2018-13379, CVE-2019-19781

Target(s): IT, Telecommunication, Oil and Gas, Aviation, Government, and Security Sectors (worldwide including Israel)

Objective: Steal sensitive information, Implant backdoors,

Technique: In February 2020, researchers have observed Iranian state-sponsored hackers targeting several organizations across Israel and around the world for the last 3 years. This campaign has been dubbed as Fox Kitten wherein attackers have been primarily leveraging unpatched VPN vulnerabilities including Pulse Secure Connect (CVE-2019-11510), Palo Alto Networks’ Global Protect (CVE-2019-1579), Fortinet FortiOS (CVE-2018-13379), and Citrix (CVE-2019-19781) to penetrate and exfiltrate information from the infected systems. After gaining an initial foothold, the infected systems were observed communicating with C2 servers to download a series of custom VBScript files that can be leveraged to install backdoors. It was seen that the backdoor code was downloaded in chunks to evade detection by antivirus solutions installed on the victim’s system.

Moreover, after gaining lateral movement capabilities, threat actors executed the backdoor to scan the infected system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection. This connection was established via a self-developed tool called POWSSHNET or opening a socket-based connection to a hardcoded IP address. Later in Sep 2020, the Iranian state-sponsored hacking group behind this campaign was noticed selling access to compromised corporate networks on an underground hacking forum.

Hackers Looking to Steal COVID-19 Vaccine Research

CVE-ID(s): CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2019-9670

Threat Actor: APT29, Cozy Bear

Target(s): Academic and Pharmaceutical Research Institutions (worldwide including the U.S.)

Objective: Stealing information and intellectual property related to the development and testing of COVID-19 vaccines

Technique: Throughout 2020, APT29 has been seen targeting multiple entities that are working to develop the COVID-19 vaccine across the globe. To carry out this attack campaign, the threat actor has been abusing vulnerabilities including Citrix code-injection bug(CVE-2019-19781); a publicized Pulse Secure VPN flaw (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670). Attackers have been abusing these security flaws with an intent to gain initial access to targets, along with spear-phishing to gain authentication credentials to internet-accessible login pages for target entities.

After being established in a network, the threat actor uses malware dubbed as WellMess and WellMail, to carry out further operations on the infected system and steal data. WellMess was initially spotted in July 2018 and it supports HTTP, TLS, and DNS for communications. WellMail is a lightweight malware that is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server. Additionally, the threat actor was also observed leveraging another malware known as ‘SoreFang’. It is a first-stage downloader that uses HTTP to steal victim information and download second-stage malware.

Double Extortion Ransomware Attacks and the Role of Vulnerable Internet-Facing Systems

CVE-ID(s): CVE-2019-11510CVE-2018-13379CVE-2019-1579CVE-2019-19781CVE-2020-2021CVE-2020-5902

Objective: Deploy ransomware, perform cyber-espionage campaigns

Technique: During the second half of 2020, the new wave of ransomware attacks relying on an approach defined as “double extortion” was observed. In particular, attackers were noticed actively exploiting multiple VPN vulnerabilities such as CVE-2019-11510CVE-2018-13379CVE-2019-1579CVE-2019-19781CVE-2020-2021CVE-2020-5902 to inject ransomware as well as to carry out cyber-espionage campaigns by state-sponsored actors. Additionally, it was noticed that threat actors have modified their modus operandi and were seen selecting their victims to abuse vulnerable internet-facing systems to break into the target’s network. This mechanism would allow the attackers to establish a footprint, inject the malicious payload, and ensure that the infection distributes rapidly across the entire organization.

Election Systems Under Attack via Microsoft Zerologon Exploits

CVE-ID(s): CVE-2020-1472, CVE-2018-13379

Target(s): U.S. presidential elections

Objective: To gain initial access and compromise government networks

Technique: In Oct 2020, attackers were observed using a Fortinet vulnerability ( CVE-2018-13379) to gain initial access to the targeted entities. Alongside, Microsoft’s severe privilege-escalation flaw (CVE-2020-1472) dubbed “Zerologon” was also used to escalate privileges and gain access to Windows AD servers. Moreover, attackers were also observed leveraging the opensource tools including Mimikatz and the CrackMapExec to acquire valid account credentials from AD servers.

For details on threat actor attribution and exploitation techniques, email [email protected]