Government agencies like the Federal Bureau of Investigation (FBI) and the Cybersecurity & infrastructure Agency (CISA) continue to warn about the dangers posed by unpatched VPN bugs.

In a joint advisory on Friday, both the FBI and CISA reiterated the problems caused by vulnerabilities left unpatched, specifically CVEs associated with Fortinet FortiOS. FortiOS, Fortinet's operating system, helps administrators control security and networking capabilities across their network.

The agencies say that over the past month, they've seen APT groups scanning devices on ports 4443, 8443, and 10443 for three vulnerabilities, including one that’s fairly old CVE-2018-13379, along with CVE-2020-12812 and CVE-2019-5591. The fact that scans are up for all three suggests attackers are using multiple CVEs in hopes of compromising devices.

The advisory posits attackers might be using the vulnerabilities to first gain access to entities - FBI and CISA say governments, commercial, and technology services networks are chief targets - to gain a foothold so they can carry out future attacks.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the advisory reads, “APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”

Experts have been warning about one vulnerability, the path traversal (CVE-2018-13379) in the FortiOS SSL VPN web portal, for years.

At Black Hat in 2019, researchers showed how the bug, a pre-authentication arbitrary file reading bug could let an unauthenticated attacker download files through specially crafted HTTP resource requests. The bug was fixed in a handful of versions, FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2, in May 2019, but has apparently lingered long enough that it remains a favorite attack vector for APT groups.

CISA warned last fall that attackers were chaining the vulnerability together with another flaw, a vulnerability in Windows Netlogon Remote Protocol that became known as Zerologon, along with a critical vulnerability in MobileIron Core & Connector versions (CVE-2020-15505) to attack government networks – both federal and SLTT (state, local, tribal, and territorial governments).

CISA also said last year that the vulnerability was one of several being exploited by a Russian APT, Energetic Bear/Crouching Yeti in some circles, to compromise network infrastructure and exfiltrate data from servers.

CISA hasn't warned about the other two vulnerabilities before but both have been patched previously. One (CVE-2019-5591) could allow an attacker to intercept sensitive information by impersonating the LDAP server while the other (CVE-2020-12812) could allow an attacker to log into FortOS without being asked for a second form of authentication. For those keeping track, CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020.

APT groups, increasingly more so during the pandemic, with many employees continuing to work from home, have been heavily targeting Secure Socket Layer (SSL) virtual private network (VPN) set ups. In addition to the Fortinet vulnerabilities, over the last year, CISA has warned about vulnerabilities in Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510) and Citrix (CVE-2019-19781).

For the Fortinet vulnerabilities, organizations should patch if they're running FortOS; if they're not, organizations should consider adding files used by the operating system to their execution deny list to preemptively block any attempts to install or run the program.

Administrators should refer to Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for mitigation tips - think disabling unused RDP ports, using multifactor authentication, etc.