Vulnerabilities are inescapable in the modern organization. Even security appliances like firewalls are susceptible to vulnerabilities and aren't infallible. When these gaps show themselves it's important to respond accordingly. Patching vulnerabilities in a timely manner is crucial to protecting your organization.
In December of 2022 Fortinet published a critical advisory regarding a critical vulnerability that impacted multiple Fortinet products and services including FortiOS. FortiOS is the network operating system that Fortinet's security infrastructure runs on.
The vulnerability, labeled CVE-2022-42475, potentially allows unauthenticated attackers to remotely execute code or commands on a victims system. NIST has labeled this vulnerability as critical and is actively being exploited by Chinese threat actors. Fortinet's security incident response team (PSIRT) stated: "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets."
Fortinet's incident analysis revealed the malware was a "variant of a generic Linux implanted customized for FortiOS". The way in which the exploit was developed and used suggests that the attacker has advanced skills with a detailed understanding of FortiOS and the hardware it works with. The attack also specifically targeted government related targets.
CorpInfoTech specializes in the knowledge and implementation of Fortinet products and technologies in order to stay aware of product, platform and development changes that may occur. This includes staying on top of any new vulnerabilities that arise in the Fortinet applications our clients use. We were provided information regarding this vulnerability from Fortinet's PSIRT and with our expertise in Fortinet's software were able to act accordingly.
Using the information provided by Fortinet's incident analysis CorpInfoTech's team was able to spring into action. We immediately updated internal test/evaluation firewall appliances using the PSIRT directed remediation as outlined in their blog. We also identified any vulnerable devices that we managed and implemented an emergency change that denied the known IP addresses associated with the observed attacks from all of our managed devices. This change was implemented within 2 hours of the initial PSIRT Indicators of compromise (IoC) advisory. IoC's are used to find evidence that a device has been compromised. These indicators include IP addresses, file names, or file checksums. You can read Fortinet's critical advisory for a comprehensive list of what to look for if you think your devices are vulnerable.
Once this was implemented, CorpInfoTech coordinated and completed updating all of our managed clients devices within 2 days. When it comes to vulnerability management, time is imperative. Due to the critical nature of this particular vulnerability it was all the more important to act fast. However, CorpInfoTech didn't stop here. Using our proprietary SIEM platform, we went back and analyzed all of the traffic over the previous 90 days for our managed clients to determine if any of the IoC IP addresses were present on the wire. This ensured that we caught an instance of unwanted or unwelcome traffic associated with this vulnerability before its reach was made public.
Fortinet has made it clear they will continue to monitor and provide any updates to threat actor activity involving the recent zero day. They also recommend taking the actions outlined in their Critical Advisory FG-IR-22-398.
If your organization uses Fortinet products or applications that may be vulnerable and aren't sure what your next steps should be, contact CorpInfoTech today to ensure that your vulnerabilities are discovered before the bad guys exploit them.