The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned that threat actors were likely exploiting critical vulnerabilities in the Fortinet FortiOS VPN to plant backdoors in a bid to return and steal data or conduct ransomware campaigns.
Fortinet FortiOS is the operating system that powers the company's gamut of security offerings.
“The FBI and CISA believe the APT [advanced persistent threat ] actors are likely exploiting these Fortinet FortiOS vulnerabilities to gain access to multiple government, commercial, and technology services networks,” warns the joint advisory.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
- Protect your devices with these best antivirus software
- Here's our choice of the best malware removal software on the market
- We've also put together a list of the best endpoint protection software
The agencies specifically point to three vulnerabilities, tracked as CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The agencies say the hackers could exploit any or all of these vulnerabilities to gain access to secure networks.
Fortinet has already issued patches to mitigate the threats arising from all of these vulnerabilities. The agencies warn that cyberattackers are actively scanning the Internet looking for systems that have not yet applied the patches to plug the vulnerabilities.
Two of the three already-patched vulnerabilities listed in the advisory, CVE-2018-13379 and CVE-2020-12812, are particularly severe because they can be exploited by unauthenticated users to steal authentication credentials and connect to vulnerable VPNs.
In their bid to get Fortinet users to act, the agencies also give a rundown of the type of attacks that can be conducted using the vulnerabilities.
“APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns,” note the agencies.
In an emailed statement, Fortinet urged its customers who haven’t applied the patches as yet to do so immediately.
- We’ve also rounded up the best business VPN services