"Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability"
Security researchers at Cyble have recently observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products. Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks. The researchers noted that the issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance’s admin interface. The researchers stated that, essentially, the security defect provides the attacker with admin access to SSH on the target appliance, allowing the attacker to update or add a valid public SSH key to the device and gain complete control over it. According to Cyble, there are more than 100,000 FortiGate firewalls accessible from the internet, and any of these instances that have not been patched might become a target for the attackers. Cyble noted that it has already seen cybercriminals offering access to networks that were likely compromised via CVE-2022-40684. The researchers say that they observed a threat actor “distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums. While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. The victim organizations were using outdated FortiOS. Hence, with high confidence, the researchers concluded that the threat actor behind this sale exploited CVE-2022-40684. The researchers noted that attacks targeting Fortinet instances have been ongoing since October 17. In mid-October, Fortinet raised the alarm on the increasing number of attacks targeting CVE-2022-40684, warning of a slow patching pace and of the public availability of proof-of-concept (PoC) code.