Old FortiNet Vulnerabilities exploited by State Sponsored Actors

Threat Advisories

Old FortiNet Vulnerabilities exploited by State Sponsored Actors

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) has released a joint advisory warning stating that ATP actors are gaining access to the FortiNet VPN servers through ports 4443, 8443 and 10443. The state sponsored actors are scanning for the vulnerabilities and gaining access to commercial, technology and government service networks

Vulnerability Details

Threat Actors

Name: Apt 5
Known as: KEYHOLE PANDA, comfoo
Origin: China
Targeted Sector: Defense, High-Tech, Industrial, Technology, Telecommunications, Aerospace
Targeted Location: United States and Southeast Asia
Name: MuddyWater
Known as: Seedworm, TEMP.Zagros, Static Kitten, NTSTATS, POWERSTATS, MERCURY
Origin: Iran
Targeted Sector: Defense, High-Tech, Industrial, Technology, Telecommunications, Aerospace
Targeted Location: Defense, Education, Food, Gaming, Government, IT, Media, NGOs, Oil and gas, Telecommunications, Academic, Transportation

PATCH LINKS

https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033
http://www.securityfocus.com/bid/108693 
References
https://fortiguard.com/advisory/FG-IR-19-037
https://fortiguard.com/psirt/FG-IR-19-283
https://fortiguard.com/advisory/FG-IR-18-384
https://nvd.nist.gov/vuln/detail/CVE-2018-13379
https://nvd.nist.gov/vuln/detail/CVE-2020-12812
https://nvd.nist.gov/vuln/detail/CVE-2019-5591
https://www.hackread.com/fbi-cisa-hackers-exploit-fortinet-vpn-vulnerabilities/
https://www.ic3.gov/Media/News/2021/210402.pdf
https://thecyberwire.com/newsletters/daily-briefing/10/64
https://therecord.media/us-says-apts-are-using-fortinet-bugs-to-gain-initial-access-for-future-attacks/