APT 29 Targeting SSL VPN Flaws

United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) have published research into the activity of ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’ who have been targeting various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

The initial attack vectors for this group has been unpatched vulnerabilities in SSL-VPN solutions including Fortinet. One of the vectors used included a vulnerability resolved by Fortinet in May 2019, allowed an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests as disclosed in FG-IR-18-384 / CVE-2018-13379. At the time of the disclosure Fortinet made available patches for all supported releases (5.4, 5.6, 6.0, 6.2).

Customers were notified at the time via the public PSIRT Advisory system of the need to upgrade immediately and highlighted the same in the release notes.  For those unable to upgrade, mitigations were provided.  For additional transparency, this was again highlighted in a blog in August 2019 after the vulnerabilities were disclosed by the researchers at Black Hat 2019.

For all customers Fortinet recommends the following actions are taken immediately.

• Upgrade all FortiGate systems to the latest firmware releases. Using the latest security patches for your release is key to protect against attack.
• Validate that all SSL-VPN local users are expected, with correct email addresses assigned and perform password reset on all users.  If there are any unrecognised local users, follow corporate policy remove them immediately.
• Preferably migrate to using remote directory system (LDAP,RADIUS) for all user authentication
• Use multi-factor authentication (two-factor authentication authentication) to reduce the impact of password compromises.

Additional steps can be taken to secure your network against attack including:

• Prevent and detect lateral movement in your organisation’s networks using tools such as deceptor technology to identify threats early in the threat cycle.
• Employ Endpoint detection and response to identify and block threats before the have a chance to take hold on the network.

Revision History:

2020-07-16 Initial version