Cyber criminals and nation-state cyber-espionage operations are actively scanning for unpatched vulnerabilities in Fortinet VPNs; organisations that use Fortigate firewalls on their network, and have yet to apply a critical security update released almost two years ago, should assume they've been compromised and act accordingly.
The alert from the National Cyber Security Centre (NCSC) follows a report by Kaspersky detailing how cyber criminals are exploiting a Fortinet VPN vulnerability (CVE-2018-13379) to distribute ransomware by exploiting unpatched systems and remotely accessing usernames and passwords, allowing them to manually undertake activity on the network.
The NCSC – along with CISA and the FBI – has also warned that Advanced Persistent Threat (APT) nation-state hacking groups are still actively scanning for unpatched CVE-2018-13379 vulnerabilities as a means of gaining access to networks for cyber-espionage campaigns.
Fortinet issued a critical security update to counter the security vulnerability after it was discovered in 2019, but almost two years later a significant number of organisations have yet to apply the patch to their enterprise network, leaving them vulnerable to cyberattacks.
Cyber criminals have published a list of almost 50,000 IP addresses relating to unpatched devices; the NCSC warns that 600 of these are in the UK and that the organisations running them are "at very high risk of exploitation".
In fact, the NCSC has warned that organisations using unpatched Fortinet VPN devices must assume they are now compromised, and should begin incident management procedures. That includes removing the device from service and returning it to factory settings, as well as investigating the network for suspicious or unexpected activity.
"This recent activity emphasises the importance of NCSC advice to install security updates as soon as is practicable following their release to ensure action is taken before exploitation is observed," said the alert.
The NCSC recommends that all Fortinet VPN users check whether the 2019 updates have been installed, and if they haven't to apply them immediately to prevent cyber attackers from exploiting the vulnerability.
"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.
"If customers have not done so, we urge them to immediately implement the upgrade and mitigations," Fortinet added.
MORE ON CYBERSECURITY
- Cybersecurity: How to get your software patching strategy right and keep the hackers at bay
- These software bugs are years old. But businesses still aren't patching them
- Most applications today are deployed with vulnerabilities, and many are never patched
- 5 ways to lock down your Microsoft 365 account and keep hackers out
- This years-old Microsoft Office vulnerability is still popular with hackers, so patch now