Skip to content

ATP 29 Targeting SSL VPN Flaws

United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) have published research into the activity of ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’ who have been targeting various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

The initial attack vectors for this group has been unpatched vulnerabilities in SSL-VPN solutions including Fortinet. One of the vectors used included a vulnerability resolved by Fortinet in May 2019, allowed an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests as disclosed in FG-IR-18-384 / CVE-2018-13379. At the time of the disclosure Fortinet made available patches for all supported releases (5.4, 5.6, 6.0, 6.2).

Customers were notified at the time via the public PSIRT Advisory system of the need to upgrade immediately and highlighted the same in the release notes.  For those unable to upgrade, mitigations were provided.  For additional transparency, this was again highlighted in a blog in August 2019 after the vulnerabilities were disclosed by the researchers at Black Hat 2019.

For all customers Fortinet recommends the following actions are taken immediately.

  • Upgrade all FortiGate systems to the latest firmware releases. Using the latest security patches for your release is key to protect against attack.
  • Validate that all SSL-VPN local users are expected, with correct email addresses assigned and perform password reset on all users.  If there are any unrecognised local users, follow corporate policy remove them immediately.
  • Preferably migrate to using remote directory system (LDAP,RADIUS) for all user authentication
  • Use multi-factor authentication (two-factor authentication authentication) to reduce the impact of password compromises.

Additional steps can be taken to secure your network against attack including:

  • Prevent and detect lateral movement in your organisation’s networks using tools such as deceptor technology to identify threats early in the threat cycle.
  • Employ Endpoint detection and response to identify and block threats before the have a chance to take hold on the network.

Revision History:

2020-07-16 Initial version

As Fortinet partners, Net Universe offers all Fortinet devices and subscriptions with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/fortinet.
You can visit our Shop Online

Back to all post

>>>>>>>>>>

On Trend

INTERESTING NEWS

Cybersecurity Campaign in Latin America

Unlock 5 hours of free consulting We are pleased to announce the start of our exciting Cybersecurity Campaign, designed to strengthen your business against ever-evolving

Un líder, por decimocuarta vez

Las amenazas cambian. Sophos sigue siendo reconocido Por decimocuarta vez consecutiva, Sophos ha sido nombrado líder en el Cuadrante Mágico™ de Gartner® 2023 para plataformas

Apple Authorized Reseller

Hello, Apple

We proudly announce that Net Universe has been distingued as Apple Authorized Reseller. This membership is a testament to our ongoing commitment to deliver the