New Threat Group Agrius Exploits Old Fortinet VPN Vulnerabilities
Posted on 14th Jul, 2021 | By Surojoy, Priya
In a latest update on 19 July 2021, Fortinet released an advisory to all its clients, sharing patch details and workarounds for a Use-After-Free vulnerability, classified under CWE-416, in FortiManager and FortiAnalyzer. Our research analyzed the vulnerability may lead to remote code execution after unauthorized access to root. Our analysis of the vulnerability is detailed below.
Three Virtual Private Network (VPN) vulnerabilities in FortiOS that have existed for over a year now have recently been exploited in an attack against a local US municipal government. The newly discovered threat group, Agrius, has been observed using a relatively new ransomware called Apostle to exploit these vulnerabilities.
CSW warned of the Fortinet VPN vulnerabilities
The possibility of a VPN vulnerability being exploited was called out by CyberSecurityWorks one year ago in a report published in July 2020, enumerating three possible vulnerabilities, which were already weaponized.
Further, in an article published in December 2020, titled ‘Fortinet’s 50,000 VPN Leak Highlights Lack of Cyber Hygiene’, our analysis pointed out a critical vulnerability, CVE-2018-13379, in the restricted directory titled ‘Path Traversal’ in Fortinet VPN versions 5.4.6 to 6.0.4, putting close to 50,000 IP addresses at risk.
FortiManager & FortiAnalyzer:
CVE-2021-32589 is a severe vulnerability with a CVSS v3 score of 7.5.
The CVE is categorized under CWE-416 (Use After Free) which is also listed in the 2021 CWE Top 10 Most Dangerous Software Weaknesses by MITRE.
A CISA advisory was also issued, urging organizations to patch this vulnerability on priority.
The vulnerability affects FortiManager and FortiAnalyzer versions 5.6.10, 6.0.10, 6.2.7, 6.4.5, 7.0.0 and 5.4.x and below.
Fortinet urges their customers to upgrade their versions of FortiManager and FortiAnalyzer as well as upgrade their FortiGate IPS definitions to v18.001 or above.
In the US municipal network attack, the threat actors accessed a web server hosting via a Fortigate vulnerability and created a username on a local network to allow for persistence attacks. Our research analyzed the vulnerabilities in Fortinet that could be potentially exploited to mount an attack. Here is our analysis of the vulnerabilities—
FortiGate SSL VPN:
Classified under the weakness enumeration CWE-22 (improper limitation in the path name to a restricted ‘Path Traversal’ directory), this critical vulnerability has a severity rating of 9.8 on the CVSS v3 score.
This CVE has been exploited by 7 Advanced Persistent Threat (APT) groups and has a Remote Code Execution (RCE) capability.
It allows an attacker on the same network to send malicious service location protocol (SLP) requests to take control of it.
Our research indicates that this vulnerability is trending in hacker channels and the dark web.
CVE-2020-12812, leads to an improper authentication exploit (CWE-287) in the FortiOS system.
The FBI and CISA have issued alerts urging organizations to patch this vulnerability on priority.
Classified under CWE-287 (Improper Authentication), this critical vulnerability has a severity rating of 9.8 in CVSS v3 score.
CVE-2019-5591 is a medium severity vulnerability with a score of 6.5 from CVSS v3.
Categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) the medium severity rating of this vulnerability allows it to fly past the radar of security teams.
This vulnerability is trending in the wild, therefore organizations need to patch it immediately.
Two high-severity vulnerabilities known to have remote access capabilities were also identified in the FortiWeb Firewall.
CVE-2021-22123 is a high severity vulnerability with a CvSS v3 score of 8.8.
The CVE is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), which is also listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses by MITRE.
CVE-2020-29015 is a critical severity vulnerability with a CvSS v3 score of 9.8.
Categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')), the critical vulnerability is also part of the 2020 CWE Top 25 Most Dangerous Software Weaknesses by MITRE.
It is noted that the CVE-2021-22123 can have a more serious impact if chained with a misconfiguration and a separate vulnerability, CVE-2020-29015. When these two vulnerabilities are combined, threat actors can gain complete remote access to the internal network, bypassing the FortiWeb Firewall.
New APT group Agrius exploiting CVE-2018-13379
On 28 May 2021, a new Iranian APT hacking group, Agrius, exploited an unpatched vulnerability in the Fortinet VPN. Our research shows that Agrius group is targeting multiple sectors—Technology/IT, Banking/Financial/Wealth Management, Outsourcing & Hosting, Transportation & Shipping, Energy/Oil & Gas, Process Manufacturing, Discrete Manufacturing, and Industrial Insurance. Our recommendation to organizations would be to patch all these vulnerabilities on priority.
Table: Fortinet VPN Patches
Agrius Attack Methodology
The Agrius group uses a new ransomware, titled Apostle, in their exploits. The group encrypts files for ransom but eventually wipes the files clean using a strain of the dangerous Deadwood (also called Detbosit) destructive wiper malware.
The Joint Cybersecurity Advisory report identified the threat actors scanning Fortinet ports 4443, 8443 and 10443 to exploit any critical vulnerabilities in them. It is suspected that the APT group then conducts distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.
Agrius MITRE ATT&CK Mapping
|IoCs for Agrius Group|
IOCs (SHA 256):
Fortinet Exposure Analysis
Our exposure analysis using Shodan indicates that there are several thousand networks that are vulnerable to these attacks if they are not patched immediately. The other ports at risk apart from the ones mentioned in the Joint Cybersecurity Advisory report are listed below.
How can we mitigate the threat?
On April 2, 2021, CISA and FBI published a joint warning to warn government, commercial and technology services enterprises about this vulnerability. On May 31, 2021, FBI published a second alert about hackers leveraging the FortiGate SSL VPN vulnerabilities.
Despite the repeated warnings and seven notifications over a span of 18 months, the vulnerability still remains unpatched in many cases. A Fortinet PSIRT Advisory mentions that the IP addresses to unpatched devices are being sold on the dark web, jeopardizing several thousands of users to a cyber attack. An upgrade from FortiOS 5.4 or 6.0 to the latest version (FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above) will mitigate the threat.
Attackers need only one vulnerability to exploit and take down an organization. Organizations, therefore, need to adopt a risk-based approach and manage the vulnerabilities in their attack surfaces to boost their security posture.
To know more about CSW’s Vulnerability Management as a Service (VMaaS), please visit https://cybersecurityworks.com/services/vulnerability-management-as-a-service.