Threat actors are targeting high-profile organizations after the critical Fortinet VPN vulnerability, CVE-2022-42475, was publicly disclosed in December. The vulnerability, which scored a 9.8 on the Common Vulnerability Scoring System (CVSS), poses a serious risk to users of the FortiOS SSL VPN service.
Internal Indicators of Compromise and Evidence of Prominent Victims
Fortinet’s extended research into exploitation revealed several internal indicators of compromise (IoC) and evidence of potential prominent victims. Furthermore, the analysis pointed to well-resourced Chinese groups who showed strong comprehension of the operating system, used custom implants, and had multiple time stamps from Eastern Asian countries.
Chinese Cyber Espionage Operations on the Rise
This rings true with recent findings from another cybersecurity vendor, which noted malicious traffic from China targeting an undisclosed zero-day vulnerability. The attack steps involved exploiting internet-facing devices followed by custom implants, a tactic that mirrors activity observed with the Fortinet VPN vulnerability.
“We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups,” the researchers explained.
Brute Force Attempts Against Fortinet’s SSL VPN on the Rise
While researchers haven’t observed direct exploitation of CVE-2022-42475, they have seen a considerable increase in brute force attempts against Fortinet’s SSL VPN. This along with the evidence linking it to Chinese cyber espionage should serve as a warning to all organizations to patch their systems as soon as possible.
Strong Security Measures to Minimize the Chances of Detection
Researchers suggest using strong passwords and other security baselines to minimize the chances of detection. The emergence of the Fortinet VPN vulnerability highlights the importance of keeping systems patched and up-to-date. If left unaddressed, the vulnerability could enable attackers to gain access to any unpatched system.
Stay Ahead of the Threats with Additional Security Measures
Organizations should also remain vigilant and anticipate further exploitation of the CVE-2022-42475 vulnerability. Although the extent of the attack remains unknown, it is believed that Chinese cyber espionage groups are behind the activity and could be targeting high-profile organizations.
Organizations must strive to stay ahead of such threats by implementing additional security measures, including restricting access to vulnerable systems, keeping backups on record, using two-factor authentication and encryption when possible.
Personal Responsibility for Security and Employee Training
Users should take personal responsibility for their security by using strong passwords and limiting access to sensitive data. Additionally, all employees should be trained to recognize and report any suspicious activity.
Monitor Systems for Anomalous Activity
Alongside these recommendations, organizations should regularly monitor their systems for any anomalous activity. By utilizing strong logging tools, organizations can detect and identify any malicious activity related to the Fortinet VPN vulnerability.
Review System Architecture and Consider Updating Software
Organizations should review their system architecture and consider patching software to the latest version, especially when weaknesses in vendor software have been discovered. Organizations should also take into account the threat landscape and protect their systems against different types of attacks, including external network attacks, social engineering, phishing attempts, DDOS attacks, and more.
Invest in Monitoring Tools for Internal Networks
Organizations should also invest in monitoring tools for their internal networks. Such tools can provide insight into user behavior and detect any unusual traffic patterns or activities. They can also alert organizations if any suspicious activity is taking place.
