exploited by attackers Fortinet A virtual private network (VPN) device attempting to infect a Canadian-based university and a global investment firm with ransomware.
The findings came from eSentire’s Threat Response Unit (TRU), which reportedly stopped attacks and shared information about them. Information security Before public.
eSentire said the attackers attempted to exploit a critical Fortinet vulnerability it discovered in 2018 (tracked CVE-2022-40684). October 2022.
“Fortinet describes the security weakness as an authentication bypass vulnerability. Successful exploitation could allow an unauthenticated attacker to gain access to a vulnerable Fortinet device.”
In the advisory, Fortinet said it only confirmed one incident in which the vulnerability was actively exploited, but a few days later, working proof-of-concept (POC) exploit code was made public.
“TRU is the first to observe that a large number of threat actors are scanning the Internet looking for vulnerable Fortinet devices,” said eSentire. I have written.
TRU said it observed hackers buying and selling compromised Fortinet devices on the underground market after conducting a dark web hunt. This demonstrates widespread exploitation.
“Hacker sales ranged from individual organizations to mass sales, with many buyers interested,” explained eSentire.
Noticing this activity, the team said they tracked the technical details of the exploit and created a log-based detection for Fortinet devices.
“TRU conducted a threat hunt, wiping historical logs from Fortinet devices looking for indicators of compromise,” the company’s report reads. “TRU has identified multiple customers whose devices have shown signs of recent threat activity.”
Among its activities, eSentire said, were the two aforementioned cyber intrusions.
“In both cases, once the hackers gained a foothold in the target IT environment via Fortinet VPN, the attackers used Microsoft’s VPN. remote desktop protocol (RDP) service exploits trusted Windows processes (also known as LOLBIN or Living Off The Land binaries) to achieve lateral movement. “
“Hackers used legitimate encryption utilities such as BestCrypt and bit lockerwas originally intended to protect data – not to hold it hostage,” continued eSentire.
According to the advisory, the use of remote exploits, LOLBIN, legitimate encryption, and no exfiltration sites make it difficult to identify.
“However, the ransom note followed a form of ransomware observed in early 2022 known as KalajaTomorr,” warned eSentire. best crypto Via RDP lateral movement. “
Commenting on this exploit is Keegan Keplinger, Research and Reporting Lead for eSentire’s TRU research team.
“Like any security technology, it’s possible to misconfigure an SSL VPN. [organizations] It’s vulnerable to attack,” said Kaeplinger.
“Because VPNs face the Internet, they are easy targets for hackers. What makes VPNs so valuable to attackers is that VPN devices often integrate with organization-wide authentication because access to the .” means access to your organizational credentials.”
The TRU advisory comes two months after the Bahamut spyware group was discovered compromising Android devices. Via a fake VPN app.
