Security researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products.

Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks.

The issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance’s admin interface.

Essentially, the security defect provides the attacker with admin access to SSH on the target appliance, allowing the attacker to update or add a valid public SSH key to the device and gain complete control over it.

According to Cyble, there are more than 100,000 FortiGate firewalls accessible from the internet and any of these instances that have not been patched might become a target for the attackers.

The dark web monitoring firm says that it has already seen cybercriminals offering access to networks that were likely compromised via CVE-2022-40684.

Cyble says it has observed a threat actor “distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums”.

“While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the threat actor behind this sale exploited CVE-2022-40684,” Cyble notes.

Attacks targeting Fortinet instances have been ongoing since October 17, the cybersecurity firm says.

In mid-October, Fortinet raised the alarm on the increasing number of attacks targeting CVE-2022-40684, warning of a slow patching pace and of the public availability of proof-of-concept (PoC) code.

By Ionut Arghire on Tue, 29 Nov 2022 12:02:35 +0000
Original link