Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability

Security researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products.

Security researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products.

Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks.

The issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance’s admin interface.

Essentially, the security defect provides the attacker with admin access to SSH on the target appliance, allowing the attacker to update or add a valid public SSH key to the device and gain complete control over it.

According to Cyble, there are more than 100,000 FortiGate firewalls accessible from the internet and any of these instances that have not been patched might become a target for the attackers.

The dark web monitoring firm says that it has already seen cybercriminals offering access to networks that were likely compromised via CVE-2022-40684.

Cyble says it has observed a threat actor “distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums”.

“While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the threat actor behind this sale exploited CVE-2022-40684,” Cyble notes.

Attacks targeting Fortinet instances have been ongoing since October 17, the cybersecurity firm says.

In mid-October, Fortinet raised the alarm on the increasing number of attacks targeting CVE-2022-40684, warning of a slow patching pace and of the public availability of proof-of-concept (PoC) code.

Related: Fortinet Patches 6 High-Severity Vulnerabilities

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.