A surge in brute-force attempts targeting Fortinet SSL VPNs that was spotted earlier this month could be a portent of imminent attacks leveraging currently undisclosed (potentially zero-day) vulnerabilities in Fortinet devices.
Shifting attacks
Greynoise, a cybersecurity intelligence service that through its global network of passive sensors collects, analyzes, and labels data about internet-wide scanning activity, shared on Tuesday that they say spotted two waves of attacks:
- On August 3, 780+ unique IPs triggered the company’s Fortinet SSL VPN Bruteforcer tag (which registers IP addresses observed attempting to brute-force credentials against Fortinet SSL VPNs), as well as their FortiOS profile, “suggesting deliberate and precise targeting of Fortinet’s SSL VPNs”
- From August 5 onward, a second wave, with a completely different TCP signature, shifted to targeting the company’s FortiManager – FGFM profile (while still triggering the Fortinet SSL VPN Bruteforcer tag)
“This indicated a shift in attacker behavior — potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service,” the company explained.
(SSL VPN is a feature of Fortinet’s FortiGate firewalls, which run the proprietary FortiOS Linux-based operating system. Most other Fortinet devices have no VPN capability – the only exception is/was FortiProxy, Fortinet’s secure web proxying solution. Older versions of FortiProxy – 7.2.x and earlier – do support SSL VPN in certain configurations, but the functionality has been removed as of version 7.4.4.)
Concerns about possible zero-day exploitation
“GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor — with 80 percent of observed cases followed by a CVE disclosure within six weeks,” the company pointed out.
“In fact, GreyNoise found that spikes in activity triggering [the Fortinet SSL VPN Bruteforcer tag] are significantly correlated with future disclosed vulnerabilities in Fortinet products.”
Fortinet has recently released fixes for a number of vulnerabilities in its various products, including a FortiSIEM vulnerability with in-the-wild exploit code, and a medium-severity path traversal vulnerability in FortiManager & FortiManager Cloud that may allow an authenticated remote attacker to overwrite arbitrary files via FGFM crafted requests.
In possibly related news, someone is apparently offering to sell a 0-day remote code execution (RCE) exploit affecting FortiOS VPN versions 7.4 – 7.6 via an underground criminal forum. The stated price is 0.5 bitcoins, which is currently around $60,000, but it’s impossible to tell for sure whether the offer is legitimate or simply an attempt to scam interested parties.
Admins of Fortinet devices should block traffic from the malicious IPs and/or restrict traffic only to trusted IPs, and implement recommended best practices to harden both the devices and user accounts against brute-force and other types attacks.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
