An article published on the FBI and U.S. CISA’s warnings of APT groups exploiting Fortinet FortiOS vulnerabilities, targeting systems of government, technology, and commercial services.
<p>Networking equipment tends to be central to a company\’s operations. This incident of attackers capitalizing on a combination of N-day vulnerabilities—as opposed to zero-day—and unpatched systems, highlights the challenges that IT administrators experience in scheduling downtime to patch vulnerabilities. However, in the meantime, this also makes unpatched systems a prime target for attackers seeking out prey. This advisory is similar to a NSA/CISA advisory released in December 2020, regarding advanced persistent threat (APT) groups’ use of N-day vulnerabilities on access software, like VPNs and edge content delivery networks.<u></u><u></u></p> <p> </p> <p>As APT groups continue to target vulnerabilities within government, technology and commercial services’ systems, organizations across industries must recognize the need to accept the assistance of security researchers who are actively defending against a growing legion of adversaries. Even enterprises with in-house security teams can benefit from the hypervigilance of external security researchers — specifically their ability to provide continuous, 24/7 security testing and monitoring. <u></u> <u></u></p> <p> </p> <p>Although each of these vulnerabilities were known and patches were issued by the Fortinet, the responsibility falls on IT administrators to rapidly apply these fixes. By leveraging external security researchers, admins can rely on the insights of security researchers to provide contextual intelligence as to which vulnerabilities constitute the greatest —and therefore most urgent— risk to an organization. Active scanning for system vulnerabilities is a routine process after the release and weaponization of remotely exploitable common vulnerabilities and exposures (CVEs), from actors ranging from amateur to the very sophisticated. <u></u><u></u></p> <p> </p> <p>Additionally, IT administrators can arm themselves with an extra layer of security to proactively identify and address such vulnerabilities before they are discovered and exploited by adversaries, such as these APT groups. This grants IT administrators a more generous timeline to address vulnerabilities and ensure proper security measures have been implemented. Speed is the natural enemy of security and the best way to improve an organization’s security posture and beat malicious adversaries is by thinking like one.</p>
<p>This is a major challenge to organisations as there is a never ending stream of vulnerable devices that need immediate patching to mitigate the threat of serious negative consequences. It’s a perpetual fire drill for organisations – not only taking time to ensure the devices are patched correctly, but more so, not knowing if and where they have these devices in the first place. There has been huge emphasis on SSL VPN solutions enabling us all to work during the pandemic, and many business units and departments have sourced VPN solutions at speed, and often outside of the normal IT procurement process.</p> <p> </p> <p>Therefore, fixing the possibility of actively attempted unauthorised access to their networks, from a trivially exploitable hole, will be a priority. In addition to patching the FortiOS devices, it will be important to compare the patterns of behaviours of the devices themselves to highlight any changes in behaviour over time. Similarly, organisations should compare each device against other Fortinet devices to spot deviations from a profile of expected behaviours, that will act as an indicator to the possibility that an attack may of occurred.</p> <p> </p> <p>With VPNs a commonly abused entry point for attackers – and Fortinet having an existing partnership with the NHS – we can probably expect to see an NHS Cyber Alert in the coming hours and days. There are strong and robust practises in place within the NHS. The common issue we see is not the lack of ability or speed to patch, it is in finding the devices in the first place from what is often a forgotten piece of the puzzle, the asset inventory. It is these forgotten or unknown devices that will be the major source of concern.</p>
<p>Networking equipment tends to be central to a company\’s operations. This incident of attackers capitalizing on a combination of N-day vulnerabilities—as opposed to zero-day—and unpatched systems, highlights the challenges that IT administrators experience in scheduling downtime to patch vulnerabilities. However, in the meantime, this also makes unpatched systems a prime target for attackers seeking out prey. This advisory is similar to a NSA/CISA advisory released in December 2020, regarding advanced persistent threat (APT) groups’ use of N-day vulnerabilities on access software, like VPNs and edge content delivery networks.<u></u><u></u></p> <p> </p> <p>As APT groups continue to target vulnerabilities within government, technology and commercial services’ systems, organizations across industries must recognize the need to accept the assistance of security researchers who are actively defending against a growing legion of adversaries. Even enterprises with in-house security teams can benefit from the hypervigilance of external security researchers — specifically their ability to provide continuous, 24/7 security testing and monitoring. <u></u> <u></u></p> <p> </p> <p>Although each of these vulnerabilities were known and patches were issued by the Fortinet, the responsibility falls on IT administrators to rapidly apply these fixes. By leveraging external security researchers, admins can rely on the insights of security researchers to provide contextual intelligence as to which vulnerabilities constitute the greatest —and therefore most urgent— risk to an organization. Active scanning for system vulnerabilities is a routine process after the release and weaponization of remotely exploitable common vulnerabilities and exposures (CVEs), from actors ranging from amateur to the very sophisticated. <u></u><u></u></p> <p> </p> <p>Additionally, IT administrators can arm themselves with an extra layer of security to proactively identify and address such vulnerabilities before they are discovered and exploited by adversaries, such as these APT groups. This grants IT administrators a more generous timeline to address vulnerabilities and ensure proper security measures have been implemented. Speed is the natural enemy of security and the best way to improve an organization’s security posture and beat malicious adversaries is by thinking like one.</p>
<p>This is a major challenge to organisations as there is a never ending stream of vulnerable devices that need immediate patching to mitigate the threat of serious negative consequences. It’s a perpetual fire drill for organisations – not only taking time to ensure the devices are patched correctly, but more so, not knowing if and where they have these devices in the first place. There has been huge emphasis on SSL VPN solutions enabling us all to work during the pandemic, and many business units and departments have sourced VPN solutions at speed, and often outside of the normal IT procurement process.</p> <p> </p> <p>Therefore, fixing the possibility of actively attempted unauthorised access to their networks, from a trivially exploitable hole, will be a priority. In addition to patching the FortiOS devices, it will be important to compare the patterns of behaviours of the devices themselves to highlight any changes in behaviour over time. Similarly, organisations should compare each device against other Fortinet devices to spot deviations from a profile of expected behaviours, that will act as an indicator to the possibility that an attack may of occurred.</p> <p> </p> <p>With VPNs a commonly abused entry point for attackers – and Fortinet having an existing partnership with the NHS – we can probably expect to see an NHS Cyber Alert in the coming hours and days. There are strong and robust practises in place within the NHS. The common issue we see is not the lack of ability or speed to patch, it is in finding the devices in the first place from what is often a forgotten piece of the puzzle, the asset inventory. It is these forgotten or unknown devices that will be the major source of concern.</p>