04/08/2021 | News release | Distributed by Public on 04/08/2021 11:22
The following blog was co-authored by Caitlin Condon and Bob Rudis, also known (in his own words) as 'some caveman from Maine.'
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint alert to warn users that APT threat actors were likely exploiting unpatched Fortinet FortiOS devices to gain initial access to government, commercial, technology, and other organizations' networks. The alert highlighted three FortiOS vulnerabilities, all of which were previously known, and at least one of which (CVE-2018-13379) has been broadly exploited for more than 18 months. This week, CISA published an additional alert amplifying a threat report from security firm Onapsis, which describes ongoing attacks against SAP applications.
Rapid7 has previously analyzed a number of the highest-severity vulnerabilities enumerated in this latest set of alerts. The CVEs included in these reports have been detailed below, along with recommendations for organizations seeking to defend themselves against ongoing exploitation. Notably, none of these vulnerabilities are new-many of them are a year or more old, which underscores the need for a regular patch cycle, as well as a defined patch cycle exception process.
Fortinet devices are what we call network pivots-that is, the position they occupy in organizations' networks gives external attackers the ability to access internal networks if exploited successfully, which in turn allows for a range of secondary attacks and other nefarious activities. If at all possible, defenders should strongly consider implementing a 'zero-day' patch cycle for internet-exposed and other network pivot products, including (but not only) Fortinet and other VPNs. InsightVM and Nexpose customers can assess their exposure to all three FortiOS CVEs below with vulnerability checks.
Since the beginning of March, Rapid7 Labs' Heisenberg Honeypot fleet has seen nearly 60 IP addresses attempting common, known single GET request exploits against Fortinet devices (we've grouped the IP addresses up to the hosting provider/ISP level):
Unfortunately, our fleet does not emulate Fortinet devices. Since these devices are fairly easy to distinguish on the internet (nearly 1 million of them in the image, below)-due to the common, vendor SSL certificate they use-it is surprising to see opportunistic exploit attempts versus just inventory/discovery scans.
Over 1 million Fortinet devices discovered by the latest Project Sonar scans (geolocated with MaxMind)That last sentence should help organizations underscore why CISA and the FBI raised the Fortinet exploitation campaign to the level of a joint alert: Attackers can easily identify legitimate Fortinet endpoints on the internet, and it takes virtually no time from discovery to exploit if a target system is not patched and configured properly.
On April 3, 2021, Fortinet published a post on patch and vulnerability management where they outlined their emergency response and patch release practices new alignment to ISO standards and further emphasized the need to keep internet-exposed Fortinet devices patched. They have a special knowledge base article on how to keep notified about Fortinet patch releases and provide multiple ways for organizations to say current on Fortinet security updates.As Fortinet notes in that post, these weaknesses have had patches available for quite some time, so if you're just getting around to fixing them, you may need to dedicate some further cycles to some forensic activity, as it is very likely one or more attackers have already taken advantage of these vulnerabilities.
To learn more about other vulnerabilities that functioned as network pivots for attackers, read Rapid7's 2020 Vulnerability Intelligence Report.
The two most recent SAP vulnerabilities detailed in Onapsis' threat report are CVE-2020-6287, a CVSS-10 vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard that has been actively exploited in the wild since July 2020, and SAP Solution Manager CVE-2020-6207. Both of these vulnerabilities allow broad compromise of SAP applications and environments.
Other SAP vulnerabilities noted as being exploited in the wild include:
Get the latest stories, expertise, and news about security today.
Subscribe