Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a hacker had leaked the credentials for 50,000 Fortinet VPNs. The victims include high street banks, telecoms, and government organizations from around the world. The stolen data includes usernames, passwords, access level (such as ‘full access’), and the original unmasked IP address of the user connected to the VPN. The data is spreading across the Dark Web.
The vulnerability exploited to obtain the data is CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
This is not its first known exploitation. Back in July 2020, the UK’s National Cyber Security Center (NCSC) and Canada’s Communications Establishment (CSE) published information on the use of this vulnerability by APT29 — also known as ‘Cozy Bear’, and believed to be a Russian state-backed group involved in hacking the DNC prior to the 2016 U.S. elections. In this instance, the target via the Fortinet VPNs was thought to be information about COVID-19 vaccines.
In October 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned that the Russian state-backed hacking group often known as Energetic Bear used the same vulnerability in attacks against the networks of various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks — ahead of the 2020 elections.
None of this should have been possible. Fortinet patched the vulnerability back in Spring 2019 — well over a year before these incidents. After the latest incidents, Fortinet told Bleeping Computer, “In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade.”
Patching. That’s the Real Problem
So, the real problem here is a patch problem. Fortinet VPN users — thousands of major corporations and government entities — simply failed to patch a critical vulnerability despite repeated warnings.
The need for a robust patching regime has been known and urged for decades. But still companies fail to patch their systems efficiently or sufficiently. The result can be disastrous. The infamous Equifax breach of 2017 was ultimately a failure in patching. The ultimate cost to Equifax could be several billion dollars, combining settlements to affected users (potentially up to $2 billion) and a further $1 billion for agreed security upgrades. There are many other examples of costly breaches caused by a failure to patch.
The basic problem remains — organizations find patching very difficult, and this same issue of unpatched systems being compromised will continue. According to a Ponemon/ServiceNow report in October 2019,
- 60% of breach victims were breached due to an unpatched known vulnerability where the patch was not applied
- 62% were unaware that their organizations were vulnerable prior to the data breach
- 52% of respondents say their organizations are at a disadvantage in responding to vulnerabilities because they use manual processes.
There are many reasons for companies’ failure to patch. Not enough staff. Insufficient resources to adequately test the possible downstream effect of patches. And connections to operational technology, where the inbred philosophy is not to touch something that is currently working. Indeed, Dark Reading has stated that nearly three-fourths of organizations worry that software updates and patches could ‘break’ their systems when applied. Then there are the usual challenges of any downtime, legacy system patching, and compatibilities with existing applications and operating systems.
Patching Doesn’t Have to Be A Problem
But there is a solution to the patch problem that is simple and effective and not dependent on in-house resources — the use of firewall as a service (FWaaS), such as what’s provided into Cato’s SASE platform. Without the cloud, security must be installed appliance by appliance in location by location. It is incumbent on the overworked and under resourced security or IT team to update and manage those appliances; this is where patching fails.
Cloud services, however, do not rely on their users’ own staff resources. Whenever Cato becomes aware of a new fix or patch, we automatically pushed it out to all our customers. Cloud service users receive a robust patch regime without having to worry about patching and a repeat of the Fortinet VPN incidents and the Equifax patch failure.