FED FORESIGHT FAILURE: "Advanced Persistent Threats" > Cybersecurity and Infrastructure Security

One more warning on Friday 02 April 2021 in a Joint Statement about MORE HACKING and Ransomware or Espionage Compromises

An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.

--- Wikipedia

Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities

Exploits allow hackers to log into VPNs and then access other network resources.

Dan Goodin - 4/2/2021, 1:40 PM

"The FBI and the Cybersecurity and Infrastructure Security Agency said that advanced hackers are likely exploiting critical vulnerabilities in the Fortinet FortiOS VPN in an attempt to plant a beachhead to breach medium and large-sized businesses in later attacks

APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services,” the agencies said Friday in a joint advisory. “Gaining initial access pre-positions the APT actors to conduct future attacks.” APT is short for advanced persistent threat, a term used to describe well-organized and well-funded hacking groups, many backed by nation states.

Breaching the mote

Fortinet FortiOS SSL VPNs are used mainly in border firewalls, which cordon off sensitive internal networks from the public Internet. Two of the three already-patched vulnerabilities listed in the advisory—CVE-2018-13379 and CVE-2020-12812—are particularly severe because they make it possible for unauthenticated hackers to steal credentials and connect to VPNs that have yet to be updated.

“If the VPN credentials are also shared with other internal services (e.g. if they're Active Directory, LDAP, or similar single sign-on credentials) then the attacker immediately gains access to those services with the privileges of the user whose credentials were stolen,” said James Renken, a site reliability engineer at the Internet Security Research Group. Renken is one of two people credited with discovering a third FortiOS vulnerability—CVE-2019-5591—that Friday’s advisory said was also likely being exploited. “The attacker can then explore the network, pivot to trying to exploit various internal services, etc.”

. . .The FBI and CISA provided no details about the APT mentioned in the joint advisory. The advisory also hedges by saying that there is a “likelihood” the threat actors are actively exploiting the vulnerabilities.

Patching the vulnerabilities requires IT administrators to make configuration changes, and unless an organization is using a network with more than one VPN device, there will be downtime. While those barriers are often tough in environments that need VPNs to be available around the clock, the risk of being swept into a ransomware or espionage compromise is significantly greater.

-------------------------------------------------------------------------------------------------------------------------------

Cybersecurity

CISA, FBI warn of hacking threat against Fortinet product

• By Justin Katz
• Apr 02, 2021

 

 

The Cybersecurity and Infrastructure Security Agency and the FBI on Friday issued a new advisory warning that an advanced persistent threat actor is using old vulnerabilities in enterprise software from Fortinet to gain access to government and industry networks.

"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks," according to the advisory

 

More

FBI: APTs Actively Exploiting Fortinet VPN Security Holes

https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/

Three security vulnerabilities in the Fortinet SSL VPN are being used to gain a foothold within networks before moving laterally and carrying out recon.

The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products.

According to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.

“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,” according to the alert. “APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.”

The bugs are popular with cyberattackers in general, due to Fortinet’s widespread footprint, researchers noted.

“CVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,” Satnam Narang, staff research engineer at Tenable, said via email. “In fact, Tenable’s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.”

The FBI and CISA didn’t specify which APTs are mounting the recent activity.

Initial Compromise & Recon

Once exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the warning explained. “APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”

The joint cybersecurity advisory from the FBI and CISA follows last year’s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. . .

More >

 

More

Hackers Setup Fake Cyber Security Firm To Target Security Researchers

Kavvitaa S Iyer

TechWorm |

Google’s Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups, on Wednesday shared that a North Korean government-backed campaign is targeting cybersecurity researchers with malware via social media.

For those unaware, in January 2021, TAG had disclosed a hacking campaign, targeting security researchers working on vulnerability research and development across different organizations. On March 17th, the same actors behind those attacks set up a new website for a fake company called “SecuriElite” as well as associated Twitter and LinkedIn accounts.

The new website claims that it is an “offensive security company located in Turkey that offers pentests, software security assessments and exploits”.

As per the experts, this website has a link to their PGP public key at the bottom of the page like the previous websites set up by the actor. The PGP key hosted on the attacker’s blog acted as the lure for unsuspecting researchers in January attacks to visit the site “where a browser exploit was waiting to be triggered”.

The attacker’s latest batch of social media profiles continues the trend of posing as fellow security researchers interested in exploitation and offensive security. In total, Google has identified eight Twitter accounts and seven LinkedIn profiles.

The threat actors used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email to communicate with the researchers and build trust, only to deploy a Windows backdoor through a trojanized Visual Studio Project.

Following the discovery, Google reported all identified social media profiles to the platforms to allow them to take appropriate action, after which all of them were suspended.

The accounts seemed to be owned by vulnerability researchers and human resources personnel at various security firms including Trend Macro (a fake name inspired by Trend Micro), while some posed as the Chief Executive Officer and employees at the fictitious Turkish company.

Currently, the new attacker website is not serving any malicious content to deliver malware; however, Google has added the website’s URL to Google Safebrowsing as a precaution to prevent accidental visits by the users.

Following TAG’s disclosure in January 2021, security researchers from South Korean cybersecurity firm ENKI successfully identified these actors using an Internet Explorer 0-day. Based on their activity, TAG researchers believe that these actors are dangerous and likely have more 0-days.

“We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process,” concluded Adam Weidemann from TAG in the blog post.

More 

----------------------------------------------------------------------------------

AZURE NETWORK 

LINK > https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-user-and-entity-behavior-analytics-in/ba-p/1700953