Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
In mid and late November 2022, eSentire detected and shut down hackers attempting to infect two of its customers, a Canadian-based college and a global investment firm, with ransomware. eSentire’s security research team, the Threat Response Unit (TRU), traced the attack to vulnerable Fortinet Virtual Private Network (VPN) devices belonging to eSentire’s customers. The VPNs were being managed and monitored by third-party providers; thus, TRU had no direct visibility into the devices.
However, this did not keep eSentire from detecting and intercepting the ransomware deployment. Here are the details:
On October 10, 2022, Fortinet, which develops next-generation firewalls, VPNs, antivirus, and endpoint solutions, among other offerings, issued a public security advisory disclosing that there was a critical vulnerability (CVE-2022-40684) impacting several of their products. Fortinet described the security weakness as an authentication bypass vulnerability. If successfully exploited, an unauthenticated attacker could gain access to a vulnerable Fortinet device. Specifically, devices which are often integrated with organization-wide authentication protocols like Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) – the “keys to the kingdom,” so to speak.
Fortinet also stated in their October 10 advisory that they had seen only one incident where the vulnerability was being actively exploited. However, this quiet period was short-lived. Three days later, on October 13, 2022, a functional Proof-of-Concept
(POC) exploit code was publicly released, and a flurry of activity on the hacker underground began.
TRU first saw a slew of threat actors scanning the internet for vulnerable Fortinet devices. Conducting Dark Web hunts, TRU then observed hackers buying and selling compromised Fortinet devices in the underground markets, indicating widespread exploitation – a typical outcome when technical details and knowledge of exploit code becomes public, and several threat actors begin engaging in exploitation. The exploitation operation appeared to include the exploitation of older vulnerabilities, such as CVE-2018-13374, as out-of-date Fortinet devices were not vulnerable to the 2022 vulnerability.
Hacker sales ranged from individual organizations (Figure 1) to bulk sales (Figure 2), with numerous buyers showing interest. One Initial Access Broker was seen offering monthly subscriptions to compromised Fortinet devices, located in specific countries, and selling this access in bulk at costs between $5,000 and $7,000; however, the currency was not provided in the initial ad (Figure 2).
Figure 1: An Initial Access Broker appearing to sell access to compromised Fortinet devices.
Figure 2: An Initial Access Broker sells bulk access to compromised Fortinet devices, not allowing individual sales.
Hunting for compromised Fortinet devices
Responding to this threat activity, eSentire’s TRU immediately tracked down the technical details of the exploit and created log-based detections for Fortinet devices. These detections were deployed across eSentire’s entire customer base, helping eSentire’s Security Operations Center (SOC) spot any attack activity related to the Fortinet vulnerability.
Conducting threat hunts, TRU swept historical logs from the Fortinet devices looking for indicators of compromise. TRU identified several customers whose devices showed signs of recent threat activity. In one case, the Initial Access Broker appeared to have tested his access using a benign payload, Microsoft’s Calculator application.
No further activity was observed, indicating that the compromised device was likely still being held by the Initial Access Broker who was trying to sell it and other devices he had under his control. For the two clients that opted not to collect Fortinet logs, attempted ransomware intrusions were later observed.
Ransomware hackers use hijacked Fortinet VPNs to gain initial access to a college and a global investment firm
In November 2022, TRU intercepted and shut down two separate cyber intrusions stemming from vulnerable Fortinet devices managed by third-party providers. It’s not clear whether the ransomware actors bought access through an Initial Access Broker or conducted the attacks themselves. The two targets included a college in Canada and a global investment firm.
In both cases, once the hackers got a foothold into the targets’ IT environments via the Fortinet VPNs, the threat actors used Microsoft’s Remote Desktop Protocol (RDP) service by abusing trusted Windows processes (also referred to as LOLBINs or living-off-the-land binaries) to achieve lateral movement. The hackers also abused the legitimate encryption utilities, BestCrypt and BitLocker, which were originally intended to secure data – not hold it hostage.
The ransomware operators presented a ransom note, but they did not reference a name and shame page on the dark web.
Taken together, the use of a remote exploit, the use of LOLBINs, and the use of legitimate encryption, and no leak site makes attribution more difficult. However, the ransom note did follow the format of a ransomware observed in early 2022 known as KalajaTomorr, an operation which has been observed deploying BestCrypt via RDP lateral movement.
Further, the email addresses provided in the ransom notes, from former incidents involving the KalajaTomorr ransomware, share a similar structure and similarly named anonymous email services:
TRU is tracking the campaign against the college and global investment firm as NahumVornkov.
The illicit business of Initial Access Brokers
A flood of initial access offerings for a particular hardware or software product on Dark Web marketplaces is indicative of a high value target. In the case of Fortinet, many of the sales were labeled “New Forti.” As mentioned previously, brokers offered buyers access to individual companies, which appeared to sell relatively quickly, as well as bulk sales that took longer for the brokers to move.
For access to individual organizations, details are provided about the organization such as industry, revenue, and security defenses. For bulk sales, however, these details are obscured. The disadvantage to threat actors when they attempt to make bulk sales is the sales tend to be slower, leading to longer dwell times on the compromised devices as they wait for a buyer who can afford the risk and cost of the purchase.
“SSL VPNs, such as the Fortinet VPNs are easy to misconfigure, and they are highly targeted for exploitation since they a) must be exposed to the internet and b) they provide access to credentials for the organization,” said Keegan Keplinger, Research and Reporting Lead for eSentire’s TRU.
“Additionally, the tendency for these devices to be managed by a third-party often means that the organization and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web. This makes SSL VPNs a prime target for Initial Access Brokers.”
Fortinet suffers a second vulnerability and threat actors clamor to exploit it
On December 9, 2022, a French security company disclosed a Remote Code Execution (RCE) vulnerability for Fortinet SSL VPNs. This weakness can enable a threat actor to remotely execute any type of code on the device.
On December 12, 2022, Fortinet acknowledged
the vulnerability had been exploited. It’s unclear how far the RCE vulnerability goes back or whether current Fortinet access sales relate to the RCE vulnerability disclosed on December 9, 2022, or the Authentication Bypass Vulnerability disclosed in October 2022.
Breakdown of Events
On October 10, 2022, Fortinet publicly disclosed a critical vulnerability impacting multiple Fortinet products; the vulnerability was confirmed to be under active exploitation at the time of disclosure. The exploitation was not widespread at that time, as the exploit method was not well known.
On October 13, 2022, a technical report on the vulnerability and functional Proof-of-Concept
(POC) exploit code were publicly released.
eSentire’s Threat Response Unit, predicting widespread exploitation, published an advisory
and raised awareness internally.
Throughout October and into November 2022, TRUobserved several Initial Access Brokers selling access to organizations labeled “New Forti.” In Late November, Cyble published
similar observations.
Throughout November, TRUbegan observing intrusion attempts originating from compromised Fortinet boxes (at least one of them was vulnerable to the 2018 vulnerability, not the latest vulnerability). The threat actors took several steps to minimize their identity:
The intruders usedlegitimate encryption tools instead of purpose-built ransomware. They included:
BestCrypt, a commercially available encryptor, is used to lockindividual files.
BitLocker, the native Windows encryption utility; BitLocker is designed to encrypt the entire disk drive, including the operating system itself and all user data.
The intruders set the administrator password for privilege escalation.
The intrudersmoved laterally via RDP LOLBIN Abuse; that is to say, they used trusted Windows processes (LOLBINS) typically used for legitimate RDP sessions.
The intrudersutilized a ransom note withanonymous email services referenced for contact, avoiding a leak site.
The ransom note and the tactics have similarities to the KalajTomorr ransomware first reported in March 2022.
In both operations, there is no leak site leveraged.
In both operations, BestCrypt is used for encryption.
KalajaTomorr was observed using firemail.cc anonymous email service.
NahumVornkov, the prefix to the email associated with the intrusion was observed using airmail.cc anonymous email service.
In December 2022, a new Fortinet RCE vulnerability is announced.
As detailed in this report, cybercriminals took no time in exploiting the critical vulnerabilities discovered in the Fortinet products. This threat activity should serve as a stark reminder that threat actors are constantly looking for opportunities to compromise and infect organizations with everything from ransomware to credential stealers to crypto miners, and more.
Entities must remain diligent and proactively protect their critical data and applications from cyberthreats. eSentire's TRU provides the following recommendations.
Steps to secure critical IT devices from exploitation and how to protect organizations from ransomware breaches
Conduct regular security awareness training with your employees so they know how to spot phishing emails and common social engineering tactics. You can also perform consistent security assessment & and testing, including phishing simulations and tabletop exercises to test your team on the effectiveness of your training.
Practice strong cyber hygiene with regular patching, robust policies, strong password etiquette, and disciplined access controls.
Ensure that the servers for any IT service management software applications that require administrative privileges are not Internet-facing, as was the case for the Kaseya cyber-attack. Threat actors can easily use certain search engines to find exposed IP addresses for the exposed servers and use that information to target organizations.
Employ an effective multi-layered defensive posture balancing people, process, and technology, rather than structuring your cyber defenses around only one or two of those elements.
Ensure that your security team has full visibility into your IT environment using EDR agents and centralized logging on domain controllers since they are a key target for ransomware actors.
Leverage 24/7 detection with both automated and expert-level manual response, which will allow your organization to benefit from cybersecurity expertise and resources that are beyond your in-house capabilities.
Invest in critical defensive tools, including next-generation antivirus, network monitoring, email gateway, VPN security, multi-factor authentication (MFA), and endpoint protection.
Always require MFA to access your organization’s VPN or remote desktop protocol services.
Keep your operating systems and third-party apps patched and up to date so threat actors have fewer vulnerabilities to exploit.
Don't install software applications unless you know exactly what it is and what it does.
Use the principle of least privilege so only the users that need access to certain data have access to it.
Establish protocols so that if an employee requires access to data, they don’t normally need to complete a specific task, that access is taken away after a certain period of time or it expires as soon as the task is complete.
Implement network segmentation so that if one system is infected, it can easily be isolated from the rest of the networks to ensure the ransomware doesn’t spread through your environment.
Backup all your data on a regular basis and store the backups separately to ensure they cannot be accessed from your network.
Work with your security team and Incident Response (IR) provider to build an IR plan that’s right for your organization so that if a cyberattack does occur, your team is ready with remediation and response efforts.
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
