The eSentire’s Threat Research Unit (TRU) confirmed in its recent research that the threat actors are exploiting Fortinet Virtual Private Network (VPN) devices that remain vulnerable to critical authentication bypass vulnerability. The VPNs were being controlled by third-party providers; thus, the company had no direct visibility into the devices.
Fortinet is a security ecosystem, which provides a variety of different products including next-generation firewalls, antivirus, VPNs, and endpoint solutions, among other offerings.
On October 10, 2022, Fortinet issued a public statement in which it disclosed the critical vulnerability (CVE-2022-40684) in the system impacting several of their products including FortiOS, FortiProxy, and FortiSwitchManager.
If the vulnerability is successfully exploited, the hacker could gain access to the Fortinet device. Specifically, devices are often integrated with organization-wide authentication protocols such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD).
The TRU further said that its team detected and shut down two attacks on its customers – one was a Canadian-based college and the other, was a global investment firm.
Additionally, once the threat actors had gained access to the target network, they exploited Microsoft’s Remote Desktop Protocol (RDP) to successfully get lateral movement and legitimate encryption utilities BestCrypt and BitLocker.
Keegan Keplinger, research and reporting lead for the eSentire TRU, said “SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organization…”
“Additionally, the tendency for these devices to be managed by a third party often means that the organization and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs].”
Furthermore, Keplinger said the TRU’s research had shown that threat actors are always ready when it comes to exploiting vulnerabilities in well-used products. The attack is giving high singles to big tech companies if their technology is bing exploited in such a way.