Warning over ransomware attacks spreading via Fortinet kit – ComputerWeekly.com

Ransomware operators are exploiting Fortinet network devices that remain vulnerable to a critical authentication bypass vulnerability, according to research publicly released today by eSentire’s Threat Research Unit (TRU).
Fortinet first disclosed the vulnerability in question – tracked as CVE-2022-40684 – on 10 October 2022. It affects FortiOS, FortiProxy and FortiSwitchManager, which, if successfully exploited, would enable an unauthenticated actor to perform operations on the admin interface by sending specially crafted HTTP or HTTPS requests.
Fortinet said at the time of the disclosure that it was aware of an instance of the vulnerability having been exploited. However, according to eSentire, a functional proof-of-concept (PoC) exploit was circulating just three days later, after which a “slew” of threat actors began scanning the internet for vulnerable devices.
The TRU team said it had detected and shut down two attacks on its customers – one, a further education institution in Canada, and the other, a global investment firm. Both were hit by an undisclosed ransomware operator, and in both cases, the investigation led back to vulnerable Fortinet secure socket layer virtual private network (SSL VPN) devices that were being managed and monitored by third-party managed service providers (MSPs).
Once they had gained a foothold in the target environments, the threat actor abused Microsoft’s Remote Desktop Protocol (RDP) to achieve lateral movement, as well as legitimate encryption utilities BestCrypt and BitLocker. The overall modus operandi and ransom note were indicative of a relatively new group known as KalajaTomorr.
Keegan Keplinger, research and reporting lead for the eSentire TRU, told Computer Weekly that the use of an insecure VPN to spread ransomware should not, in and of itself, come as a surprise to anybody.
“SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organisation,” said Keplinger.
“Additionally, the tendency for these devices to be managed by a third party often means that the organisation and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs],” he added.
To this point, Keplinger explained that the TRU had also observed multiple parties buying and selling access to compromised Fortinet devices in the weeks after the initial disclosure. These sales ranged from individual targets to bulk sales of multiple potential victims – in one case, an IAB was observed selling bulk access on a monthly subscription basis, asking between $5,000 and $7,000.
Keplinger said the TRU’s research had shown that cyber criminals are always on the ball when it comes to exploiting vulnerabilities in well-used products. Fortinet, as a popular supplier of network security solutions, could be considered particularly at risk of having its technology exploited in such a way.
“A particular blind spot, in this case, was out-of-date Fortinet devices, managed by third parties. This creates a visibility gap for the organisation and their security providers – in cases we observed, this led to the Fortinet devices being leveraged by ransomware actors. You can’t get an endpoint agent on a Fortinet device, but they do have security logging functionality, which is what allowed us to track down and intercept devices that initial access brokers were sitting on,” said Keplinger.
“To detect intrusion actions, after that access has been sold, endpoint monitoring usually does the trick, and if your endpoint monitoring solution can quarantine endpoints, you can intercept attacks before they get the ransomware deployed,” he added.
Computer Weekly reached out to Fortinet for more information, but the organisation had not responded at the time of publication.
At the same time, defenders should be alert to the possibility of exploitation of a different vulnerability in the FortiOS SSL VPN, disclosed by France-based Olympe Cyberdefense just before Christmas. The heap-based buffer overflow tracked as CVE-2022-42475 could enable remote, unauthenticated attackers to execute arbitrary code.

CES 2023, the annual consumer electronics show, is giving attention to sustainability and tech, including blockchain, that can …
CIOs and IT leaders who want to implement sustainability programs can’t ignore the human element. Learn strategies to build a …
When building a list of emerging technologies to watch, it’s essential to also consider sustainability — a concept gaining more …
To personalize UX, Windows devices aren’t shy about collecting user data. This isn’t ideal for enterprise security. Discover how …
Securing a Windows environment is no easy feat. Read up on low-hanging fruit to quickly address, as well as top tips from two …
The exploit that led to the Rackspace ransomware attack, referred to as OWASSRF, combines two Exchange Server flaws — CVE-2022-…
As multi-cloud networking becomes an industry standard, enterprises increasingly seek tools to wrangle data, services and …
Despite the volatile economy and tech industry, networking pros should see a strong job market in 2023, with opportunities for …
When planning wireless network capacity needs, tally your total endpoints, monitor application bandwidth usage and consider …
Quantum computing has lots of potential for high compute applications. But the technology is still in the early stages, so it may…
Data lakes and data warehouses both store big data. When choosing a lake or warehouse, consider factors such as cost and what …
Classical and quantum computers have many differences in their compute capabilities and operational traits. Know their …
Numerous tools can be used to build and manage data catalogs. Here’s a look at the key features, capabilities and components of …
Big data is driving changes in how organizations process, store and analyze data. The benefits are spurring even more innovation….
Expect more organizations to optimize data usage to drive decision intelligence and operations in 2023, as the new year will be …
All Rights Reserved, Copyright 2000 – 2023, TechTarget

source

Related Articles