Threat actor observed selling exploit kits for Fortinet products

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: Critical – Vulnerability can allow unauthorised attacks to execute codes and commands at the administrative level.

This vulnerability has been issued a Common Vulnerability Scoring System (CVSS) score of 9.6 out of 10.

Researchers have observed a threat actor that goes by the name ‘DarkSoftware’ selling exploit kits on the dark web for CVE-2022-40684. A proof of concept (POC) for the vulnerability has already been released to the public and the weakness has also been addressed by Fortinet’s threat research group, Fortiguard Labs.

CVE-2022-40684 is an authentication bypass vulnerability that affects multiple Fortinet products including FortiOS, FortiProxy and FortiSwitchManager. The vulnerability uses crafted HTTP or HTTPS requests to perform actions at the administration level.

Impact

Successful exploitation will likely result in administration-level compromise, allowing the execution of unauthorised commands and codes, and loss of system integrity.

Vulnerability Detection

Associated Fortinet systems running versions equal or prior to those found in the Affected Products section below are vulnerable to this threat.

Affected Products

The following product versions are affected by CVE-2022-40684:

• FortiOS versions 5.x, 6.x are not impacted
• FortiOS version 7.2.0 through 7.2.1
• FortiOS version 7.0.0 through 7.0.6
• FortiProxy version 7.2.0
• FortiProxy version 7.0.0 through 7.0.6
• FortiSwitchManager version 7.2.0
• FortiSwitchManager version 7.0.0

Containment, Mitigations & Remediations

Updates have been issued for vulnerable versions of Fortinet’s product. It is strongly recommended that customers check which version of the affected products they are running and update appropriately.

The following updates can be applied:

• FortiOS version 7.2.2 or above
• FortiOS version 7.0.7 or above
• FortiProxy version 7.2.1 or above
• FortiProxy version 7.0.7 or above
• FortiSwitchManager version 7.2.1 or above
• FortiSwitchManager version 7.0.1 or above
• FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms

Updating to these versions will negate the vulnerability.

If updating systems is not currently possible, FortiGuard Labs has released a workaround.

Indicators of Compromise

Systems logs can be checked for suspicious activity. Check for user=”Local_Processes_Access”.
Affected systems should also be checked for logs with user_interface=”Node.js” or user_interface=”Report Runner”

Threat Landscape

Illicit dark web marketplaces are a serious security issue for all organisations due to the range and availability of exploit packages such as this. Despite international law enforcement agencies’ continued efforts to take down illicit dark web markets, new markets can replace older ones faster than they can act. Therefore, these markets will almost certainly continue to be a security threat for the foreseeable future.

Threat Actor

DarkSoftware is a vendor that operates via illicit dark web marketplaces. Until law enforcement agencies apprehend this threat actor, it is likely they will continue to operate for financial gain.

Mitre Methodologies

T1021.004 – Remote Services: SSH
T1068 – Exploitation for Privilege Escalation
T1071 – Application Layer Protocol
T1071.001 – Application Layer Protocol: Web Protocols
T1078.003 – Valid Accounts: Local Accounts
T1087.002 – Account Discovery: Domain Account
T1098.004 – Account Manipulation: SSH Authorized Keys
T1133 – External Remote Services
T1190 – Exploit Public-Facing Application
T1210 – Exploitation of Remote Services
T1556 – Modify Authentication Process
T1565 – Data Manipulation
T1595.002 – Active Scanning: Vulnerability Scanning
T1602.002 – Data from Configuration Repository: Network Device Configuration Dump

Further Information

NIST – CVE-2022-40684
Mitre – CVE-2022-40684
Horizon3 – CVE-2022-40684 IOC