“Hackers from the Land of the Red Dragon Strikes Again with Fortinet Zero-Day Exploit”
Chinese Hackers Exploit Fortinet Zero-Day Vulnerabilities
Chinese threat actors have been found exploiting a zero-day vulnerability in the Fortinet VPN servers, according to researchers at the cybersecurity firm FireEye. The vulnerability is one of two that affect the Fortinet VPN servers, which are widely used by enterprises to provide secure remote access to employees.
FireEye found two executable files on a public-facing web server that belong to a Chinese hacking group known as APT5. The two executables are “ssl.so” and “wanipc”. Together, the two files are used to escalate privileges and install a backdoor for persistent access to the VPN server.
The researchers say the attackers are circumventing multi-factor authentication (MFA) and other security measures by exploiting the zero-day vulnerabilities. The vulnerabilities in question were found in Fortinet’s SSL VPN software and operate when the software is run in either web mode or tunnel mode, thus rendering the VPN service vulnerable to the exploit.
The attackers’ ultimate goal is to bypass MFA and gain unauthorized access to the VPN server to exfiltrate sensitive corporate data. The researchers believe APT5 used the stolen credentials to remotely access protected networks and exfiltrate data.
This vulnerability highlights the pressing need for organizations to quickly patch known security flaws, which Fortinet has promptly addressed, releasing patches for the vulnerabilities within 24 hours after learning of the active exploits.
APT5 has previously been tied to nation-state-sponsored cyber-espionage activity, and their interest in VPN vulnerabilities adds to evidence that cyber-criminals prefer to target VPNs due to the wide range of access to valuable corporate networks they offer.
Key Takeaways:
1. Chinese hackers have been exploiting a zero-day vulnerability in the Fortinet VPN servers.
2. The vulnerability allows the hackers to bypass multi-factor authentication and other security measures.
3. APT5 used the stolen credentials to remotely access protected networks and exfiltrate sensitive corporate data.
4. Fortinet has released patches for the vulnerabilities within 24 hours of learning of the active exploits.
5. The incident highlights the need for organizations to quickly patch known security flaws, particularly in VPNs, which are preferred targets for hackers.
