{"id":7518,"date":"2021-07-14T20:02:49","date_gmt":"2021-07-15T03:02:49","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7518"},"modified":"2023-04-05T12:39:00","modified_gmt":"2023-04-05T19:39:00","slug":"new-threat-group-agrius-exploits-old-fortinet-vpn-vulnerabilities","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/new-threat-group-agrius-exploits-old-fortinet-vpn-vulnerabilities\/","title":{"rendered":"New Threat Group Agrius Exploits Old Fortinet VPN Vulnerabilities"},"content":{"rendered":"<blockquote>\n<p dir=\"ltr\"><strong>{Updated September 2021}:<\/strong> On September 8, 2021, a new Russian-speaking threat actor was identified actively exploiting the Fortinet VPN vulnerability, CVE-2018-13379. The threat actor called <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts\/\" target=\"_blank\" rel=\"noopener\">Orange<\/a> is the administrator of the new RAMP hacking forum and was previously the operator of the Babuk Ransomware operation. They stole data from unpatched servers and put them up on a Groove Ransomware site. The perpetrator\u2019s <a href=\"https:\/\/thehackernews.com\/2021\/09\/hackers-leak-vpn-account-passwords-from.html\" target=\"_blank\" rel=\"noopener\">breach list<\/a> reportedly contains the login credentials to multiple top organizations in 74 countries, including India, France, Israel, Italy, Taiwan, and the USA.<\/p>\n<p dir=\"ltr\">CVE-2018-13379 has been one of the most widely exploited vulnerabilities of 2020 and was called out by CSW researchers in the <a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" target=\"_blank\" rel=\"noopener\">Ransomware Q2 report 2021<\/a>.<\/p>\n<p dir=\"ltr\"><strong>We urge our readers and clients to patch their Fortinet VPN servers without further delay to stave off a major ransomware attack.<\/strong><\/p>\n<\/blockquote>\n<p dir=\"ltr\"><strong>{Updated on August 18, 2021}: <\/strong>On 17 August 2021, researchers intimated Fortinet after discovering a zero-day command injection vulnerability, a variant of <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-22123\" target=\"_blank\" rel=\"noopener\">CVE-2021-22123<\/a>, in the FortiWeb Web Application Firewall (WAF).<\/p>\n<p dir=\"ltr\">This high severity vulnerability, which still does not have a CVE number, is likely to be classified under the weakness enumeration CWE-78 (Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019) with a CVSS v3 score of 8.8. The zero-day flaw allows authenticated attackers to execute arbitrary commands with root privileges on an underlying system via a SAML server configuration page.<\/p>\n<p>The vulnerability can also be chained with another authentication bypass flaw, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-29015\" target=\"_blank\" rel=\"noopener\">CVE-2020-29015<\/a>, giving an attacker full control of all vulnerable servers.<\/p>\n<p>The zero-day vulnerability impacts FortiWeb versions 6.3.11 and prior. A patch for the vulnerability is expected to be released with the version 6.4.1 upgrade coming up at the end August.<\/p>\n<p>We urge organizations to keep themselves up-to-date about the latest patches and security upgrades to avoid any untoward events.<\/p>\n<p>&nbsp;<\/p>\n<blockquote>\n<p dir=\"ltr\"><strong>In a latest update on 19 July 2021, Fortinet released an <a href=\"https:\/\/www.fortiguard.com\/psirt\/FG-IR-21-067\" target=\"_blank\" rel=\"noopener\">advisory<\/a>\u00a0to all its clients, sharing patch details and workarounds for a Use-After-Free vulnerability, classified under CWE-416, in FortiManager and FortiAnalyzer. Our research analyzed the vulnerability may lead to remote code execution after unauthorized access to root. Our analysis of the vulnerability is detailed below.<\/strong><\/p>\n<\/blockquote>\n<p><strong>Three Virtual Private Network (VPN) vulnerabilities in FortiOS that have existed for over a year now have recently been exploited in an attack against a <a href=\"https:\/\/securityaffairs.co\/wordpress\/118338\/apt\/fortinet-vpn-us-municipal-government.html\" target=\"_blank\" rel=\"noopener\">local US municipal government<\/a>. The newly discovered threat group, Agrius, has been observed using a\u00a0relatively new ransomware called Apostle to exploit these vulnerabilities.\u00a0<\/strong><\/p>\n<h2><strong>CSW warned of the Fortinet VPN vulnerabilities<\/strong><\/h2>\n<blockquote><p>The possibility of a VPN vulnerability being exploited was called out by CyberSecurityWorks one year ago in a <a href=\"https:\/\/cybersecurityworks.com\/blog\/cyber-risk\/do-vpns-have-our-back.html\">report<\/a> published in July 2020, enumerating three possible vulnerabilities, which were already weaponized.<\/p><\/blockquote>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-c91dd889-7fff-f972-9505-6db2ceb03dcd\"><img decoding=\"async\" style=\"width: 402px; height: 280px;\" src=\"https:\/\/lh5.googleusercontent.com\/mD54GKH-wq0wBBiqjUHpU-vGqEFAbmFkfTEe_T_lGFc-ohSWIUjDGqGfSfsC2BiY4RjzIWTlTdjtAuUAvFFDmPllwVdNvL3nOHhl5zGhZhE6BbLLmV7U-U3PAh22Dnmx3Zx8hw6L\" \/><\/b><\/p>\n<p>Further, in an article published in December 2020, titled \u2018<a href=\"https:\/\/cybersecurityworks.com\/blog\/vulnerabilities\/fortinets-50000-vpn-leak-highlights-lack-of-cyber-hygiene.html\" target=\"_blank\" rel=\"noopener\">Fortinet\u2019s 50,000 VPN Leak Highlights Lack of Cyber Hygiene<\/a>\u2019, our analysis pointed out a critical vulnerability, CVE-2018-13379, in the restricted directory titled \u2018Path Traversal\u2019 in Fortinet VPN versions 5.4.6 to 6.0.4, putting close to 50,000 IP addresses at risk.<\/p>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-ebdfe4e1-7fff-fa17-14ce-17f0ec432dd7\"><img decoding=\"async\" style=\"width: 450px; height: 143px;\" src=\"https:\/\/lh6.googleusercontent.com\/kXKwA-NNGz7wWNDZbJG0HQBSnE_4MnyHRtcNQJHLIeD7D8JKT_BsIeHQwoIkCn_UiYLu_olhUjhkfezxoLLAejMajRH0YyVHvJTloXiUslcVUS4pJ_VVnZMmtQHzE55KLm8F56fa\" \/><\/b><\/p>\n<h2 dir=\"ltr\"><strong>Fortinet Vulnerabilities<\/strong><\/h2>\n<p dir=\"ltr\"><strong>FortiManager &amp; FortiAnalyzer:<\/strong><\/p>\n<p dir=\"ltr\"><strong>CVE-2021-32589<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-32589\" target=\"_blank\" rel=\"noopener\">CVE-2021-32589<\/a> is a severe vulnerability with a CVSS v3 score of <strong>7.5<\/strong>.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE is categorized under CWE-416 (Use After Free) which is also listed in the 2021 CWE Top 10 Most Dangerous Software Weaknesses by MITRE.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/07\/19\/fortinet-releases-security-updates-fortimanager-and-fortianalyzer\" target=\"_blank\" rel=\"noopener\">CISA advisory<\/a> was also issued, urging organizations to patch this vulnerability on priority.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerability affects FortiManager and FortiAnalyzer versions 5.6.10, 6.0.10, 6.2.7, 6.4.5, 7.0.0 and 5.4.x and below.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Fortinet urges their customers to upgrade their versions of FortiManager and FortiAnalyzer as well as upgrade their FortiGate IPS definitions to v18.001 or above.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" role=\"presentation\"><img decoding=\"async\" style=\"width: 200px; height: 200px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/fortianalyzer.jpg\" alt=\"FortiAnalyzer and FortiManager critical vulnerability \" \/><\/p>\n<p dir=\"ltr\">In the US municipal network attack, the threat actors accessed a web server hosting via a Fortigate vulnerability and created a username on a local network to allow for persistence attacks. Our research analyzed the vulnerabilities in Fortinet that could be potentially exploited to mount an attack. Here is our analysis of the vulnerabilities\u2014<\/p>\n<p dir=\"ltr\"><strong>FortiGate SSL VPN:<\/strong><\/p>\n<p dir=\"ltr\"><strong>CVE-2018-13379<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-13379\" target=\"_blank\" rel=\"noopener\">CVE-2018-13379<\/a> is a pre-authorization arbitrary file reading vulnerability, according to the <a href=\"https:\/\/www.bankinfosecurity.com\/blogs\/nsa-latest-intelligence-agency-to-sound-vpn-patch-alarm-p-2800\" target=\"_blank\" rel=\"noopener\">alert issued by the NSA<\/a>.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Classified under the weakness enumeration CWE-22 (improper limitation in the path name to a restricted \u2018Path Traversal\u2019 directory), this critical vulnerability has a severity rating of 9.8 on the CVSS v3 score.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">This CVE has been exploited by 7 Advanced Persistent Threat (APT) groups and has a Remote Code Execution (RCE) capability.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">It allows an attacker on the same network to send malicious service location protocol (SLP) requests to take control of it.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Our research indicates that this vulnerability is trending in hacker channels and the dark web.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">This CVE has also been associated with several ransomware attacks in the past, namely, <a href=\"https:\/\/beta.darkreading.com\/threat-intelligence\/new-iranian-threat-actor-using-ransomware-wipers-in-destructive-attacks\" target=\"_blank\" rel=\"noopener\">Apostle (November 2020)<\/a>, <a href=\"https:\/\/ics-cert.kaspersky.com\/reports\/2021\/04\/07\/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks\/\" target=\"_blank\" rel=\"noopener\">Cring (January 2021)<\/a>, <a href=\"https:\/\/www.clearskysec.com\/wp-content\/uploads\/2020\/12\/Pay2Kitten.pdf\" target=\"_blank\" rel=\"noopener\">Pay2Key (2020)<\/a> and<a href=\"https:\/\/www.trendmicro.com\/vinfo\/hk-en\/security\/news\/cybercrime-and-digital-threats\/ransomware-double-extortion-and-beyond-revil-clop-and-conti\" target=\"_blank\" rel=\"noopener\"> Conti (December 2019)<\/a>.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><strong>CVE-2020-12812<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-12812\" target=\"_blank\" rel=\"noopener\">CVE-2020-12812<\/a>, leads to an improper authentication exploit (CWE-287) in the FortiOS system.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The <a href=\"https:\/\/vulners.com\/cisa\/CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF\" target=\"_blank\" rel=\"noopener\">FBI and CISA<\/a> have issued alerts urging organizations to patch this vulnerability on priority.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Classified under CWE-287 (Improper Authentication), this critical vulnerability has a severity rating of 9.8 in CVSS v3 score.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><strong>CVE-2019-5591<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-5591\" target=\"_blank\" rel=\"noopener\">CVE-2019-5591<\/a> is a medium severity vulnerability with a score of 6.5 from CVSS v3.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) the medium severity rating of this vulnerability allows it to fly past the radar of security teams.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">This vulnerability is trending in the wild, therefore organizations need to patch it immediately.<\/p>\n<\/li>\n<\/ul>\n<p><strong>Two high-severity vulnerabilities known to have remote access capabilities were also identified in the FortiWeb Firewall.\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><strong>FortiWeb Firewall:<\/strong><\/p>\n<p dir=\"ltr\"><strong>CVE-2021-22123<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-22123\" target=\"_blank\" rel=\"noopener\">CVE-2021-22123<\/a> is a high severity vulnerability with a CvSS v3 score of 8.8.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), which is also listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses by MITRE.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><strong>CVE-2020-29015\u00a0<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-29015\" target=\"_blank\" rel=\"noopener\">CVE-2020-29015<\/a> is a critical severity vulnerability with a CvSS v3 score of 9.8.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (&#8216;SQL Injection&#8217;)), the critical vulnerability is also part of the 2020 CWE Top 25 Most Dangerous Software Weaknesses by MITRE.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<blockquote>\n<p dir=\"ltr\"><strong>It is noted that the CVE-2021-22123 can have a more serious impact if chained with a misconfiguration and a separate vulnerability, CVE-2020-29015. When these two vulnerabilities are combined, threat actors can gain complete remote access to the internal network, bypassing the FortiWeb Firewall.\u00a0<\/strong><\/p>\n<\/blockquote>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 400px; height: 400px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/fortinet-vpn-and-firewall-vulnerabilities.png\" alt=\"Fortinet VPN and FortiWeb Firewall Vulnerabilities Infographic\" \/><\/p>\n<h2 dir=\"ltr\"><strong>New APT group Agrius exploiting CVE-2018-13379<\/strong><\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">On 28 May 2021, a new Iranian APT hacking group, Agrius, <a href=\"https:\/\/www.zdnet.com\/article\/iranian-hacking-group-agrius-pretends-to-encrypt-files-for-a-ransom-destroys-it-instead\/?&amp;web_view=true\" target=\"_blank\" rel=\"noopener\">exploited an unpatched vulnerability<\/a> in the Fortinet VPN. Our research shows that Agrius group is targeting multiple sectors<b id=\"docs-internal-guid-658da639-7fff-2c65-48d2-44d363027216\">\u2014<\/b>Technology\/IT, Banking\/Financial\/Wealth Management, Outsourcing &amp; Hosting, Transportation &amp; Shipping, Energy\/Oil &amp; Gas, Process Manufacturing, Discrete Manufacturing, and Industrial Insurance. Our recommendation to organizations would be to patch all these vulnerabilities on priority.<\/p>\n<p>&nbsp;<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrd6iP2U1St9XeWg?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<p style=\"text-align: center;\"><strong>Table: Fortinet VPN Patches<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\"><strong>Agrius Attack Methodology<\/strong><\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">The Agrius group uses a new ransomware, titled Apostle, in their exploits. The group encrypts files for ransom but eventually wipes the files clean using a strain of the dangerous Deadwood (also called Detbosit) destructive wiper malware.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">The <a href=\"https:\/\/www.ic3.gov\/Media\/News\/2021\/210402.pdf\" target=\"_blank\" rel=\"noopener\">Joint Cybersecurity Advisory report<\/a> identified the threat actors scanning Fortinet ports 4443, 8443 and 10443 to exploit any critical vulnerabilities in them. It is suspected that the APT group then conducts distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.<\/p>\n<h2 dir=\"ltr\"><strong>Agrius MITRE ATT&amp;CK Mapping<\/strong><\/h2>\n<p><img decoding=\"async\" style=\"width: 100%; height: 100%;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/agrius-mitre-attck-mapping-1.png\" alt=\"Agrius Fortinet MITRE ATT&amp;CK Mapping\" \/><\/p>\n<table style=\"width: 500px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>IoCs for Agrius Group<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">IOCs (SHA 256):<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">6FB07A9855EDC862E59145AED973DE9D459A6F45F17A8E779B95D4C55502DCCE<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">E37BFAD12D44A247AC99FDF30F5AC40A0448A097E36F3DBBA532688B5678AD13<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">3E9C6F384B63EBEAA729B7C97A179D409CDD859315EE2F6372A2A550E567445F<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">B30405D654C1BFCD5E2BD338CC16E971738CEB6BA069DA413195358B9CA3A2A2<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">6505ECD35E45E521F5E37FEBD01BE04166D725BA87552777C17517533AFC6329<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">FC949BD5AA0E704901F12624BADD591768EA5613560BD3D88C396479235DA095<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">96CC69242A7900810C4D2E9F3F55AAD8EDB89137959F4C370F80A6E574DDC201<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">40F329D0AABA0D55FC657802761C78BE74E19A553DE6FD2DF592BCCF3119EC16<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">7B525FE7117FFD8DF01588EFB874C1B87E4AD2CD7D1E1CEECB5BAF2E9C052A52<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">19DBED996B1A814658BEF433BAD62B03E5C59C2BF2351B793D1A5D4A5216D27E<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">5EB5922B467474DCCC7AB8780E32697F5AFD59E8108B0CDAFEFB627B02BBD9BA<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">18C92F23B646EB85D67A890296000212091F930B1FE9E92033F123BE3581A90F<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">E889D4B2CFB48B6E8F972846538DFBC057DBFC35FA28F0515CAD4D60780A9872<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">4A50073F841A1BEAA5900241FCE76ED242659130E065DBD38BE318A650B1264A<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">B5149C1AAE5C899A0F3A4BE162E24C08D284F67F6B9FB70439CE6D91353A540C<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">DF94D32997E22BAE2E5745EB3120947B025F79A16CF4B710131F911B12D960CC<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">85F16DF007FC848731ED02E0C3D8DD3AB1F2F2BF8C1B6999F7D9FF98A1CAC1C7<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">F18DD50DDE8C1101EB3C892FC2BF04B7779C2C0DEF27DE1D6C1FD341F3ECDF6C<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">5F5EDAE2CAE4DB0EE988962CA2E7CCCD1892E4F4B512FBB780210595C7BA7088<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">BAC77143CB8829C802A6723A397277AA34BA2738103D78517B36C6CFB06724EF<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">E4EA1728E19699612B5614CC0B8829A4BF749870648BE6EFC1B8A88C036F3607<\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 10px;\">CCFC0A2652916543E0CE972B38BA50815E8DF11387502519607C9FD4F91D635F<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\"><strong>Fortinet Exposure Analysis<\/strong><\/h2>\n<p dir=\"ltr\">Our exposure analysis using Shodan indicates that there are several thousand networks that are vulnerable to these attacks if they are not patched immediately. The other ports at risk apart from the ones mentioned in the Joint Cybersecurity Advisory report are listed below.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 513px; height: 394px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/fortinet-shodan.png\" alt=\"Fortinet Shodan Exposure Analysis\" \/><\/p>\n<h2 dir=\"ltr\"><strong>How can we mitigate the threat?\u00a0<\/strong><\/h2>\n<p dir=\"ltr\">On April 2, 2021, CISA and FBI published a<a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/04\/02\/fbi-cisa-joint-advisory-exploitation-fortinet-fortios\" target=\"_blank\" rel=\"noopener\"> joint warning<\/a> to warn government, commercial and technology services enterprises about this vulnerability. On May 31, 2021, <a href=\"https:\/\/www.cxotoday.com\/press-release\/fbi-issues-second-alert-on-attackers-leveraging-three-legacy-fortinet-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">FBI published a second alert<\/a> about hackers leveraging the FortiGate SSL VPN vulnerabilities.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">Despite the repeated warnings and seven notifications over a span of 18 months, the vulnerability still remains unpatched in many cases. A <a href=\"https:\/\/www.fortiguard.com\/psirt\/FG-IR-18-384\" target=\"_blank\" rel=\"noopener\">Fortinet PSIRT Advisory<\/a> mentions that the IP addresses to unpatched devices are being sold on the dark web, jeopardizing several thousands of users to a cyber attack. An upgrade from FortiOS 5.4 or 6.0 to the latest version (FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above) will mitigate the threat.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><strong>Attackers need only one vulnerability to exploit and take down an organization. Organizations, therefore, need to adopt a risk-based approach and manage the vulnerabilities in their attack surfaces to boost their security posture.\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>To know more about CSW\u2019s Vulnerability Management as a Service (VMaaS), please visit <a href=\"https:\/\/cybersecurityworks.com\/services\/vulnerability-management-as-a-service\" target=\"_blank\" rel=\"noopener\">https:\/\/cybersecurityworks.com\/services\/vulnerability-management-as-a-service<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>New APT Group Agrius is exploiting Fortinet\u2019s vulnerabilities to attack their targets. Shodan results show 56000 target assets around the world that could be vulnerable to an attack. Check out our analysis for more information.<\/p>\n","protected":false},"author":1,"featured_media":7519,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[82,80,123,154],"tags":[378,107,375,376,357,377,106,149],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7518"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7518"}],"version-history":[{"count":3,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7518\/revisions"}],"predecessor-version":[{"id":17398,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7518\/revisions\/17398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7519"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}