FBI and CISA Warn About APTs Targeting FortiOS VPN Vulnerabilities

Written by Bill Toulas
Last updated September 23, 2021

The FBI and CISA have issued a joint cybersecurity advisory to inform everyone about APT actors scanning for Fortinet FortiOS VPN vulnerabilities. The agencies have observed the scanning for CVE-2018-13379 on ports 4443, 8443, and 10443, as well as the enumeration of devices for CVE-2020-12812 and CVE-2019-5591. The actors' apparent goal is to exploit these flaws to gain access to government, commercial, and tech service networks. All three of the identified flaws already have fixing patches available, so applying the updates on FortiOS should eliminate the danger.

If patching is impossible or if FortiOS isn’t used by your organizations directly, you are advised to add the product’s key artifact files to your execution deny list. In addition to that, follow a proper backup plan, implement network segmentation, require admin credentials to install software, and use MFA where possible. All user accounts with admin privileges should be regularly audited, software needs to be regularly updated, and remote desktop protocol ports should be monitored and even disabled if they are not actively used/needed.

The advisory doesn’t give any details about the origin of the APT, but it looks like the actors' goal is persistent and stealthy presence on critical networks. In the recent past, we covered reports about Iranian APT groups weaponizing similar flaws in FortiOS VPN within days after those were published.

Zach Hanley, Senior Red team engineer at Horizon3.AI told us:

“Attackers are increasingly targeting critical external applications – VPNs have been targeted even more this last year. These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multi-factor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials. The common theme here is: once they are successful, they will look just like your normal users.”

As for the flows themselves, here are some details about them:

Since Fortinet has fixed all of the above in FortiOS 7.0, which also adds a range of new features as well as support for new technologies, we would suggest that everyone upgrades to the latest version of the product, if possible.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: