Security News > 2021 > April > FBI and CISA warn of state hackers attacking Fortinet FortiOS servers
The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warn of advanced persistent threat actors targeting Fortinet FortiOS servers using multiple exploits.
In the Joint Cybersecurity Advisory published today, the agencies warn admins and users that the state-sponsored hacking groups are "Likely" exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
The attackers are enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591, and scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443.
The FBI and CISA have also shared mitigation measures to block compromise attempts in these ongoing state-sponsored attacks.
In November 2020, a threat actor shared a list of one-line CVE-2018-13379 exploits that could be used to steal VPN credentials from almost 50,000 Fortinet VPN servers, including governments and banks.
State hackers also abused the CVE-2018-13379 vulnerability in the Fortinet FortiOS Secure Socket Layer VPN to compromise U.S. election support systems reachable over the Internet.
News URL
Related news
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- CISA, FBI Issue Guidance for Securing Communications Infrastructure (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- CISA and FBI Raise Alerts on Exploited Flaws and Expanding HiatusRAT Campaign (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)
- Fortinet warns of FortiWLM bug giving hackers admin privileges (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- FBI links North Korean hackers to $308 million crypto heist (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-14 | CVE-2019-5591 | Missing Authentication for Critical Function vulnerability in Fortinet Fortios A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. | 6.5 |
| 2020-07-24 | CVE-2020-12812 | Improper Handling of Case Sensitivity vulnerability in Fortinet Fortios An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. | 9.8 |
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |