Cyber criminals and nation-state cyber-espionage operations are actively scanning for unpatched vulnerabilities in Fortinet VPNs; organisations that use Fortigate firewalls on their network, and have yet to apply a critical security update released almost two years ago, should assume they've been compromised and act accordingly.
The alert from the National Cyber Security Centre (NCSC) follows a report by Kaspersky detailing how cyber criminals are exploiting a Fortinet VPN vulnerability (CVE-2018-13379) to distribute ransomware by exploiting unpatched systems and remotely accessing usernames and passwords, allowing them to manually undertake activity on the network.
The NCSC – along with CISA and the FBI – has also warned that Advanced Persistent Threat (APT) nation-state hacking groups are still actively scanning for unpatched CVE-2018-13379 vulnerabilities as a means of gaining access to networks for cyber-espionage campaigns.
SEE: The best free VPNs: Why they don't exist
Fortinet issued a critical security update to counter the security vulnerability after it was discovered in 2019, but almost two years later a significant number of organisations have yet to apply the patch to their enterprise network, leaving them vulnerable to cyberattacks.
Cyber criminals have published a list of almost 50,000 IP addresses relating to unpatched devices; the NCSC warns that 600 of these are in the UK and that the organisations running them are "at very high risk of exploitation".
In fact, the NCSC has warned that organisations using unpatched Fortinet VPN devices must assume they are now compromised, and should begin incident management procedures. That includes removing the device from service and returning it to factory settings, as well as investigating the network for suspicious or unexpected activity.
"This recent activity emphasises the importance of NCSC advice to install security updates as soon as is practicable following their release to ensure action is taken before exploitation is observed," said the alert.
The NCSC recommends that all Fortinet VPN users check whether the 2019 updates have been installed, and if they haven't to apply them immediately to prevent cyber attackers from exploiting the vulnerability.
SEE: Ransomware: Why we're now facing a perfect storm
"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.
"If customers have not done so, we urge them to immediately implement the upgrade and mitigations," Fortinet added.