VPN Vulnerabilities Being Exploited by Russian APT

By Anthony Eich on April 29, 2021

Executive Summary

Popular virtual private network (VPN) provider, Fortinet, has made headlines recently as its servers running FortiOS have been systematically compromised by hackers seeking to deploy a new ransomware known as “Cring.” The company, globally known as a secure networking provider, has known about the vulnerabilities since 2019, and has provided patches for its servers. However, there are still many servers that have not been updated by end users to protect against this vulnerability and that is how bad actors have been taking advantage. The attacks are highly sophisticated and require a lot of time and planning to take advantage of the vulnerabilities, leading investigators to believe that the attackers are nation-state sponsored Advanced Persistent Threats (APT) [1]. A hacker group aliased as “pumpedkicks” had released a list of nearly 50K of the vulnerable Fortinet devices [2]. It appears that the hacker group may be associated with the well-known APT 29, also known as “Cozy Bear”. Cozy Bear is a Russian APT that Fortinet warned in 2020 was using the known vulnerability to target COVID19 research in Canada [8]. While the attacks currently seem focused on European targets, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory warning all users to take precautions to mitigate possible attacks [3].

Background

The attacks on the Fortinet devices take advantage of a hole in the operating system which allows an attack known as path traversal. The vulnerability was first listed in the National Vulnerability Database under the Common Vulnerabilities and Exposures (CVE-2018-13379) on June 4th, 2019. Since then, Fortinet has released several statements urging its many customers to install the provided patches to close the hole [1]. Even so, the hacker “pumpedkicks” was able to scan and enumerate a massive number of Fortinet systems, which it then used to create a list of nearly 50 thousand vulnerable ip addresses, which it then published on the internet. The ip addresses listed led to many institutions such as banks, government agencies and corporations all around the world.

 In March, an FBI and CISA joint advisory was released stating:

the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) observed Advanced Persistent Threat (APT) actors scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379, and enumerated devices for CVE-2020-12812 and CVE-2019-5591. It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks.” [3]

Impact

Due to these vulnerabilities, the APTs have been finding targets and deploying their malware onto systems, which is usually in the form of ransomware. Ransomware is a type of malware that typically encrypts specific critical data within a system. The system owners are then given a means to pay a fee, or ransom, in order to get the key to decrypt their files. The specific malware that has been used in these recent attacks is relatively new, known as “Cring.” However, the process is not a simple one, and it takes much planning and time learning about the target systems. Once a system has been identified and enumerated as being vulnerable to CVE-2018-13379, the attackers are then able to user several other vulnerabilities and malwares to gain access, exfiltrate user and password credentials, and then finally deploy the encryption, or ransomware. One noteworthy component of these attacks is the infamous Mimikatz malware, which is known as one of the most powerful password and credential stealing platforms ever created. Ironically, the tool was created as a way to demonstrate how to protect systems against exactly this type of attack. As often is the case, the APTs using the Fortinet operating system holes, have found a way to turn the software against itself. With this new weapon in the wild, and still so many systems remaining unprotected and not updated, it is possible that many more organizations will fall victim to these attackers over the coming weeks and months, with possible financial losses globally in the hundreds of millions.

Significance

Virtual Private Networks have become a huge industry since the global rise in remote work has surged in 2020. Much of this has been a result of the global COVID-19 pandemic as these numbers began to spike in March of 2020 and continue to rise. It is expected that the global VPN market will top over $107 billion within the next 5-7 years. In increase of VPN usage to 27% has been unprecedented and more and more companies are starting to join in the surge to provide these normally safe and secure networks to support the high demand. With such a huge spike in finances being funneled into a new, internet-based, tech field, it is a beacon for hackers to begin to target these systems. Many nation state threat actors are reaching further and further, developing new cyber-warfare weapons meant to exfiltrate military and industrial trade secrets, gain technical advantages without the need to fund research, as well as the very direct method of filtering money from agencies which leave their doors open to attack. These APTs are able to spend many months performing reconnaissance, building attack infrastructures, enumerating vulnerabilities and finally, when the iron is hot, they are able to strike with highly effective efficiency. As much time as the cybersecurity community spends working to shore up defenses and mitigate threats, the relatively low cost and high rate of return of these attacks is the reason that so many countries around the world are taking this approach.

Sources

  1. APT Actors Exploit Vulnerabilities to Gain Initial Access. 4 2. Accessed 4 15, 2021. https://www.ic3.gov/Media/News/2021/210402.pdf.
  2. CVE-2018-13379 Detail. 6 4. Accessed 4 15, 2021. https://nvd.nist.gov/vuln/detail/CVE-2018-13379#VulnChangeHistorySection.
  3. FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities. 4 2. Accessed 4 15, 2021. https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios.

Lakshmanan, Ravie. 2021. Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets. 4 8. Accessed 4 15, 2021. https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html.

O’DRISCOLL, AIMEE. 2021. VPN statistics: What the numbers tell us about VPNs. 2 9. Accessed 4 15, 2021. https://www.comparitech.com/vpn/vpn-statistics/.

Paganini, Pierluigi. 2020. Threat actor shared a list of 49,577 IPs vulnerable Fortinet VPNs. 11 22. Accessed 4 15, 2021. https://securityaffairs.co/wordpress/111309/hacking/leak-vulnerable-fortinet-vpns.html.

  1. Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks. 4 7. Accessed 4 15, 2021. https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/.
  2. “Hacker publishes credentials stolen from Fortinet’s FortiGate VPNs.” siliconangle.com. 11 25. Accessed 04 25, 2021. https://siliconangle.com/2020/11/25/hacker-publishes-credentials-stolen-fortinet-fortigate-vpns/.