Threat Actor Provides Access to Corporate Network Through Unauthorized Fortinet VPN Access Security Matters

Cyble observed Initial Access Brokers (IABs) providing access to corporate networks compromised by critical flaws in Fortinet products.

Researchers at Cyble have observed that access to corporate networks sold by Initial Access Brokers (IABs) may be affected by the recently patched critical vulnerability CVE-2022-40684 in Fortinet products.

In early October, Fortinet addressed a critical authentication bypass vulnerability affecting the FortiGate firewall and FortiProxy web proxy, tracked as CVE-2022-40684.

The company explained that an attacker could exploit the vulnerability to log into a vulnerable device.

“Authentication bypass using an alternate path or channel [CWE-88] Vulnerabilities in FortiOS and FortiProxy could allow an unauthenticated attacker to take actions on the management interface through specially crafted HTTP or HTTPS requests,” reads a customer support advisory issued by the company.

Due to the risk of remote exploitation of the vulnerability, the company urges customers to address this critical vulnerability immediately.

The vulnerability affects FortiOS versions 7.0.0 to 7.0.6 and 7.2.0 to 7.2.1, and FortiProxy versions 7.0.0 to 7.0.6 and 7.2.0

The cybersecurity firm addressed the flaw by releasing FortiOS/FortiProxy version 7.0.7 or 7.2.2.

The company also offered a workaround for those who couldn’t immediately deploy the security update.

Customers who cannot upgrade their systems should restrict access to their equipment to a specific set of IP addresses.

On October 18, Fortinet confirmed that a critical authentication bypass vulnerability is being exploited.

“Fortinet is aware of instances where this vulnerability has been exploited and recommends immediately verifying your system against the following indicators of compromise in the device logs: user=”Local_Process_Access”” Continued Advisory.

Proof-of-concept (PoC) exploit code for the CVE-2022-40684 vulnerability has been published online. The public availability of the PoC exploit code could trigger a wave of attacks against Fortinet devices.

In October, the Shadowserver Foundation reported that more than 17,000 Fortinet devices were exposed online and vulnerable to exploiting the CVE-2022-40684 vulnerability, mostly in Germany and the United States.

Now, Cyble researchers report more than 100,000 FortiGate firewalls that are accessible from the internet and could be targeted by threat actors if they haven’t been patched.

Threat actors could exploit this vulnerability to perform malicious activities such as:

  • Modify the SSH keys of the admin user, allowing the attacker to log into the infected system.
  • Add a new local user.
  • Update network configuration to reroute traffic.
  • Download system configuration.
  • Start a packet capture to capture other sensitive system information.
  • Sensitive system information, system configuration and network details may be further distributed on the dark web

“During routine monitoring, Cyble researchers observed a threat actor (TA) distributing multiple unauthorized access to Fortinet VPN on a Russian cybercrime forum,” reads the analysis published by Cyble.

“When analyzing the access, it was found that the attackers were trying to add their own public key to the account of the admin user. According to the intelligence gathered from the source, the victim organization was using an outdated version of FortiOS. Therefore, we have a very high confidence that Concluded that the threat actors behind this sale exploited CVE-2022-40684.”

Cyble researchers observed that threat actors have been targeting Fortinet instances since October 17, 2022.

“An authentication bypass vulnerability in Fortinet products could allow an unauthenticated attacker to perform operations on the management interface. The vulnerability is classified as critical due to the large number of exposed assets belonging to public and private entities exposed on the Internet.” End post. “Publicly distributed proofs of concept (POCs) and automated tools make it easier for attackers to target victim organizations within days of a new CVE being published.”

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Fortinet)

Leave a Reply

Your email address will not be published. Required fields are marked *