Hackers Selling Access to Enterprise Networks

Security experts from Cyble security firm have recently identified a security flaw, CVE-2022-40684 that’s affecting multiple versions of Fortinet products, and this product range includes the following products:-

  • FortiOS
  • FortiProxy
  • FortiSwitchManager

A recently patched critical vulnerability in Fortinet products may have been exploited by malicious actors to obtain access to enterprise networks and not only that but they have also been found to be selling those initial access.

Fortinet Products Targeted Attacker

Fortinet products targeted by an attacker contain an attack mechanism that allows an attacker to exploit a feature within a function responsible for evaluating if the targeted device is accessing REST API functionality by leveraging a control mechanism. 

Despite being publicized in early October, it had already been exploited by threat actors by the time this flaw was publicly disclosed.

The attacker is usually able to gain complete access to a targeted system by updating or adding a valid public SSH key to an account associated with the system in question.

Due to the foothold and knowledge that the Threat Actor gained through exploiting this vulnerability, it’s possible for the actor to launch a variety of other attacks against the rest of the IT environment.

More than 100k FortiGate firewalls have been exposed to the internet as claimed by one of the online scanners. It is possible that threat actors could leverage the vulnerability to further compromise a system and then perform the following illicit actions:-

  • To enable the attacker to access the compromised system, modify the admin users’ SSH keys.
  • New users can be added locally.
  • Reroute traffic by updating the networking configuration.
  • The configuration of the system can be downloaded.
  • Obtain other sensitive information about the system by initiating packet captures.
  • On the dark web or dark forums, threat actors could also further disseminate the following sensitive information:-
  • System information
  • System configurations
  • Network details

Products Affected

Here below we have mentioned the products that are affected:-

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

Illicit Distribution

One of the Russian cybercrime forums was monitored routinely by researchers from Cyble and researchers observed that unauthorized Fortinet VPN access was being distributed by a threat actor.

While it was found that the FortiOS was outdated at the time of the attack and the victim organizations have been found to be using it.

Recommendations

Here below we have mentioned all the recommendations offered by the security experts:-

  • The latest patch from the official vendor should be applied to affected products.
  • Segment your network properly and implement the appropriate security measures.
  • Firewalls should be configured correctly and updated to protect critical assets.
  • It can be helpful to continuously monitor and log network activity to detect network anomalies as early as possible.
  • Managing access within the IT environment in a proper and efficient manner is essential.
  • In order to find security loopholes that attackers may exploit, regular auditing, vulnerability testing, and pen-testing exercises are a must.
  • Ensure that the organization has secure backup, archiving, and recovery processes in place.
  • There is a need for organizations to provide employees with cyber security awareness training programs.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.