Warning over ransomware attacks spreading via Fortinet kit

Ransomware operators are exploiting Fortinet network devices that remain vulnerable to a critical authentication bypass vulnerability, according to research publicly released today by eSentire’s Threat Research Unit (TRU).

Fortinet first disclosed the vulnerability in question – tracked as CVE-2022-40684 – on 10 October 2022. It affects FortiOS, FortiProxy and FortiSwitchManager, which, if successfully exploited, would enable an unauthenticated actor to perform operations on the admin interface by sending specially crafted HTTP or HTTPS requests.

Fortinet said at the time of the disclosure that it was aware of an instance of the vulnerability having been exploited. However, according to eSentire, a functional proof-of-concept (PoC) exploit was circulating just three days later, after which a “slew” of threat actors began scanning the internet for vulnerable devices.

The TRU team said it had detected and shut down two attacks on its customers – one, a further education institution in Canada, and the other, a global investment firm. Both were hit by an undisclosed ransomware operator, and in both cases, the investigation led back to vulnerable Fortinet secure socket layer virtual private network (SSL VPN) devices that were being managed and monitored by third-party managed service providers (MSPs).

Once they had gained a foothold in the target environments, the threat actor abused Microsoft’s Remote Desktop Protocol (RDP) to achieve lateral movement, as well as legitimate encryption utilities BestCrypt and BitLocker. The overall modus operandi and ransom note were indicative of a relatively new group known as KalajaTomorr.

Keegan Keplinger, research and reporting lead for the eSentire TRU, told Computer Weekly that the use of an insecure VPN to spread ransomware should not, in and of itself, come as a surprise to anybody.

“SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organisation,” said Keplinger.

“Additionally, the tendency for these devices to be managed by a third party often means that the organisation and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs],” he added.

To this point, Keplinger explained that the TRU had also observed multiple parties buying and selling access to compromised Fortinet devices in the weeks after the initial disclosure. These sales ranged from individual targets to bulk sales of multiple potential victims – in one case, an IAB was observed selling bulk access on a monthly subscription basis, asking between $5,000 and $7,000.

Keplinger said the TRU’s research had shown that cyber criminals are always on the ball when it comes to exploiting vulnerabilities in well-used products. Fortinet, as a popular supplier of network security solutions, could be considered particularly at risk of having its technology exploited in such a way.

“A particular blind spot, in this case, was out-of-date Fortinet devices, managed by third parties. This creates a visibility gap for the organisation and their security providers – in cases we observed, this led to the Fortinet devices being leveraged by ransomware actors. You can’t get an endpoint agent on a Fortinet device, but they do have security logging functionality, which is what allowed us to track down and intercept devices that initial access brokers were sitting on,” said Keplinger.

“To detect intrusion actions, after that access has been sold, endpoint monitoring usually does the trick, and if your endpoint monitoring solution can quarantine endpoints, you can intercept attacks before they get the ransomware deployed,” he added.

Computer Weekly reached out to Fortinet for more information, but the organisation had not responded at the time of publication.

At the same time, defenders should be alert to the possibility of exploitation of a different vulnerability in the FortiOS SSL VPN, disclosed by France-based Olympe Cyberdefense just before Christmas. The heap-based buffer overflow tracked as CVE-2022-42475 could enable remote, unauthenticated attackers to execute arbitrary code.