In recent years, the cybersecurity landscape has been increasingly marred by the exploitation of vulnerabilities in network security devices, with Fortinet devices emerging as a prime target for cybercriminals.
The impact of these vulnerabilities cannot be overstated, as they offer attackers a gateway to infiltrate networks, steal sensitive data, and disrupt operations. This analysis aims to shed light on the critical vulnerability recently announced in FortiOS and to contextualize the issue by examining how these vulnerabilities have been exploited over the last few years by various threat actors.
These vulnerabilities have been exploited by a range of threat actors, from nation-state groups to ransomware gangs to hacktivists and other threat actors, highlighting the attractiveness of Fortinet devices as a target.
Recently, Fortinet has released a security advisory for an “Out of Write” vulnerability within FortiOS – Fortinet’s operating system used in their hardware, such as the FortiGate firewall and switches.
The vendor states that the vulnerability is potentially being exploited in the wild. With the alarming notification of the vendor, the Cybersecurity and Infrastructure Security Agency (CISA) added the same vulnerability to their “Known Exploited Vulnerability” catalog.
This critical vulnerability, CVE-2024-21762, impacting affected versions of FortiOS might allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. Fortinet has released a patch for the same, but with the high exposure of the Internet-accessible FortiOS, the threat towards organizations using this affected product increases considerably.
At the time of this investigation, Cyble’s ODIN scanner indicates ~290k Internet-exposed FortiOS instances exposed over the internet, with the majority of assets exposed over the United States and India, as shown below. However, it is important to note that all the highlighted exposed instances may not be vulnerable, yet the high count of these exposures provides TAs with a wide attack surface.
Historically, Fortinet devices, especially those with SSL VPN functionality, have been a frequent target for attackers. Multiple nation-state threat actors, including groups from China, Iran, and Russia, as well as ransomware groups such as Conti and LOCKBIT, have exploited noteworthy vulnerabilities. These vulnerabilities have consistently been included in the top routinely exploited lists by various cybersecurity and international agencies.
Another recent security alert released by The Dutch Military Intelligence and Security Service (MIVD) disclosed a Chinese cyber espionage campaign in the Netherlands. The MIVD detected COATHANGER malware linked to Chinese state actors, spying on computer networks by exploiting the CVE-2022-42475 vulnerability in Fortinet’s FortiGate systems. The agency, in their advisory, specifically mentioned that this second stage malware ‘could conceivably be used in combination with any present or future software vulnerability in FortiGate devices’.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assessments indicate that Volt Typhoon, state-sponsored cyber actors linked to China, are strategically positioning themselves within the IT networks.
Their ultimate objective is to potentially launch disruptive or destructive cyber assaults against vital US infrastructure sectors, such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems, extending beyond the mainland to encompass US territories like Guam.
As per the security alert released by CISA, the Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched.
CRIL observed that even Hacktivist groups have notched their game up in exploiting and obtaining unauthorized access to Fortinet devices, a distinctive shift in their tactics. This trend is particularly concerning because it means that the hacktivist groups may have acquired capabilities to obtain or develop proof of concept (PoC) exploits to target known vulnerabilities.
In the same context, we observed “The Five Families” threat group, comprised of GhostSec, Stormous extortion group, and other hacktivists/threat actors in a recent incident, selling Fortinet VPN access to a Taiwanese university and two US entities with USD 54 billion and USD 36 million revenue, respectively.
Similarly, another pro-Israeli hacktivist group named ‘R00TK1T ISC Cyber Team’, while targeting Malaysian entities in an anti-Malaysia campaign, infiltrated a renowned Malaysian Telecommunication company’s Fortinet Firewall and threatened user and client data.
CRIL has observed that as soon as Fortinet-related vulnerabilities are disclosed, threat actors have been swiftly scrambling to exploit these vulnerabilities.
For instance, CVE-2022-42475, announced in December 2022, saw at least 18 instances of compromised accesses to Fortinet devices in the prominent underground forums, after the PoC exploits were released.
Similarly, after the disclosure of the CVE-2023-27997 vulnerability in June 2023, CRIL observed a stunning increase of 45 accounts of notable access sales across cybercrime channels. However, these statistics are just an indication of the accounts of active exploitation by threat actors, and the true numbers could be way higher.
Cyble researchers noticed that the instances being sold over cybercrime forums belonged to multiple organizations dealing in the critical infrastructure sector, as shown in the figure below.
The continuous exploitation of Fortinet vulnerabilities by prominent threat actors underscores the critical importance of timely patch management and robust cybersecurity defenses. Organizations using Fortinet devices must remain vigilant, regularly update their devices, and monitor for signs of compromise. The history of attacks exploiting Fortinet vulnerabilities in the preceding years serves as a stark reminder of the persistent threat landscape and the need for proactive security measures to protect against these sophisticated cyber threats.