{"id":595313,"date":"2023-01-08T05:49:23","date_gmt":"2023-01-08T11:49:23","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/08\/warning-over-ransomware-attacks-spreading-via-fortinet-kit\/"},"modified":"2023-01-08T05:49:23","modified_gmt":"2023-01-08T11:49:23","slug":"warning-over-ransomware-attacks-spreading-via-fortinet-kit","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/08\/warning-over-ransomware-attacks-spreading-via-fortinet-kit\/","title":{"rendered":"Warning over ransomware attacks spreading via Fortinet kit"},"content":{"rendered":"<div id=\"content-header\">\n<h2>Following the disclosure of a critical vulnerability in October 2022, Fortinet VPN devices were exploited in two known ransomware attacks, with access likely sold on the dark web<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>05 Jan 2023 14:00<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Ransomware operators are exploiting Fortinet network devices that remain vulnerable to a critical authentication bypass vulnerability, according to research publicly <a href=\"https:\/\/www.esentire.com\/blog\/hackers-exploit-fortinet-devices-to-spread-ransomware-within-corporate-environments-warns-esentire\">released today by eSentire\u2019s Threat Research Unit<\/a> (TRU).<\/p>\n<p><a href=\"https:\/\/www.fortiguard.com\/psirt\/FG-IR-22-377\">Fortinet first disclosed the vulnerability in question<\/a> \u2013 tracked as CVE-2022-40684 \u2013 on 10 October 2022. It affects FortiOS, FortiProxy and FortiSwitchManager, which, if successfully exploited, would enable an unauthenticated actor to perform operations on the admin interface by sending specially crafted HTTP or HTTPS requests.<\/p>\n<p>Fortinet said at the time of the disclosure that it was aware of an instance of the vulnerability having been exploited. However, according to eSentire, a functional proof-of-concept (PoC) exploit was circulating just three days later, after which a \u201cslew\u201d of threat actors began scanning the internet for vulnerable devices.<\/p>\n<p>The TRU team said it had detected and shut down two attacks on its customers \u2013 one, a further education institution in Canada, and the other, a global investment firm. Both were hit by an undisclosed ransomware operator, and in both cases, the investigation led back to vulnerable Fortinet <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/SSL-VPN\">secure socket layer virtual private network<\/a> (SSL VPN) devices that were being managed and monitored by third-party managed service providers (MSPs).<\/p>\n<p>Once they had gained a foothold in the target environments, the threat actor abused <a href=\"https:\/\/www.computerweekly.com\/news\/252528435\/UK-unis-implement-new-IP-traffic-policies-to-combat-ransomware\">Microsoft\u2019s Remote Desktop Protocol<\/a> (RDP) to achieve lateral movement, as well as legitimate encryption utilities BestCrypt and BitLocker. The overall modus operandi and ransom note were indicative of a relatively new group known as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard\/\">KalajaTomorr<\/a>.<\/p>\n<p>Keegan Keplinger, research and reporting lead for the eSentire TRU, told Computer Weekly that the use of an insecure VPN to spread ransomware should not, in and of itself, come as a surprise to anybody.<\/p>\n<p>\u201cSSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organisation,\u201d said Keplinger.<\/p>\n<p>\u201cAdditionally, the tendency for these devices to be managed by a third party often means that the organisation and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for <a href=\"https:\/\/www.computerweekly.com\/news\/252521553\/2k-to-access-your-organisation-on-the-dark-web\">initial access brokers<\/a> [IABs],\u201d he added.<\/p>\n<p>To this point, Keplinger explained that the TRU had also observed multiple parties buying and selling access to compromised Fortinet devices in the weeks after the initial disclosure. These sales ranged from individual targets to bulk sales of multiple potential victims \u2013 in one case, an IAB was observed selling bulk access on a monthly subscription basis, asking between $5,000 and $7,000.<\/p>\n<p>Keplinger said the TRU\u2019s research had shown that cyber criminals are always on the ball when it comes to exploiting vulnerabilities in well-used products. Fortinet, as a popular supplier of network security solutions, could be considered particularly at risk of having its technology exploited in such a way.<\/p>\n<p><span>\u201cA particular blind spot, in this case, was out-of-date Fortinet devices, managed by third parties. This creates a visibility gap for the organisation and their security providers \u2013 in cases we observed, this led to the Fortinet devices being leveraged by ransomware actors. You can\u2019t get an endpoint agent on a Fortinet device, but they do have security logging functionality, which is what allowed us to track down and intercept devices that initial access brokers were sitting on,\u201d said Keplinger.<\/span><\/p>\n<p><span>\u201cTo detect intrusion actions, after that access has been sold, endpoint monitoring usually does the trick, and if your endpoint monitoring solution can quarantine endpoints, you can intercept attacks before they get the ransomware deployed,\u201d he added.<\/span><\/p>\n<p><span>Computer Weekly reached out to Fortinet for more information, but the organisation had not responded at the time of publication.<\/span><\/p>\n<p><span>At the same time, defenders should be alert to the possibility of exploitation of <a href=\"https:\/\/www.lemagit.fr\/actualites\/252528257\/VPN-SSL-nouvelle-vulnerabilite-critique-inedite-chez-Fortinet\">a different vulnerability in the FortiOS SSL VPN<\/a>, disclosed by France-based <a href=\"https:\/\/olympecyberdefense.fr\/\">Olympe Cyberdefense<\/a> just before Christmas. The heap-based buffer overflow tracked as CVE-2022-42475 could enable remote, unauthenticated attackers <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528274\/Fortinet-confirms-VPN-vulnerability-exploited-in-the-wild\">to execute arbitrary code<\/a>.<\/span><\/p>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Network security management<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528274\/Fortinet-confirms-VPN-vulnerability-exploited-in-the-wild\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a266486562_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a266486562_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a266486562.jpg 1280w\" alt ><\/p>\n<h5>Fortinet confirms VPN vulnerability exploited in the wild<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/waldman_arielle.jpg\" alt=\"ArielleWaldman\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Arielle\u00a0Waldman<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252528083\/Google-MS-Oracle-vulnerabilities-make-November-22-a-big-month-for-patching\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/LeMagIT\/hero_article\/Security-management-Gorodenkoff-Productions-OU-hero_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/LeMagIT\/hero_article\/Security-management-Gorodenkoff-Productions-OU-hero_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/LeMagIT\/hero_article\/Security-management-Gorodenkoff-Productions-OU-hero.jpg 1280w\" alt ><\/p>\n<h5>Google, MS, Oracle vulnerabilities make November \u201922 a big month for patching<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252525956\/Critical-Fortinet-vulnerability-under-active-exploitation\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a303249453_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a303249453_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a303249453.jpg 1280w\" alt ><\/p>\n<h5>Critical Fortinet vulnerability under active exploitation<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/culafi_alexander.jpg\" alt=\"AlexanderCulafi\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alexander\u00a0Culafi<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/news\/252521253\/China-using-top-consumer-routers-to-hack-Western-comms-networks\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/network-security-padlocks-world-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/network-security-padlocks-world-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/network-security-padlocks-world-adobe.jpg 1280w\" alt ><\/p>\n<h5>China using top consumer routers to hack Western comms networks<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/252528897\/Warning-over-ransomware-attacks-spreading-via-Fortinet-kit\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Yuri Grumbles<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Following the disclosure of a critical vulnerability in October 2022, Fortinet VPN devices were exploited in two known ransomware attacks, with access likely sold on the dark web By Alex Scroxton, Security Editor Published: 05 Jan 2023 14:00 Ransomware operators are exploiting Fortinet network devices that remain vulnerable to a critical authentication bypass vulnerability, according<\/p>\n","protected":false},"author":1,"featured_media":595314,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31358,46,767],"tags":[],"class_list":{"0":"post-595313","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ransomware","8":"category-technology","9":"category-warning"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/595313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=595313"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/595313\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/595314"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=595313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=595313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=595313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}