All the businesses that have deployed Fortinet solutions must immediately implement patches and harden the solutions using the advisory published by Fortinet. More than 133,000 Fortinet appliances exposed to CVE-2024-21762 vulnerability with the 9.8 CVSS rating. 

It was discovered a month ago, yet an increasing quantity of appliances are still vulnerable to this critical bug. 

The most devices exposed to the said vulnerability are in Asia (around 54310 devices). 

The vulnerability is a remote code execution vulnerability that has been added to the known exploited vulnerability (KEV) catalog. Fortinet has recommended all federal agencies patch the vulnerability as soon as possible because the PoC (Proof of Concept) for the vulnerability is easily available for the attackers online.  

Experts have found that there was a sudden increase in the exploitation with more than 150,000 devices at risk of exposure after the publish of Proof-of-Concept exploit. 

Fortinet has announced another vulnerability CVE-2023-48788 with CVSS 9.3 (critical), an SQL injection flaw in the FortiClient Endpoint Management Server (EMS). 

Since the vulnerability is suspected to be a FortiOS out-of-bounds write vulnerability that is exploited actively, it is recommended to implement the latest set of security measures to harden and patch the affected Fortinet devices.  a

SharkStriker’s recommendation

We recommend applying all the mitigations suggested by the vendor and disabling SSL VPN in case no further mitigation is available.

• We recommend upgrading to the patched version of FortiOS and FortiProxy.
• We enabled their posture with proactive detection and response to suspicious activities
• For early detection and quick & precise response to the threats, we have advised all of our customers to upgrade to the latest version of the impacted solution. 
• Through our STRIEGO’s dashboards, our customers can check the status of their cybersecurity posture.

As our customers have enabled Network Monitoring, the SOC Team can continuously monitor for exploitations and respond to them accordingly.

What is an MFA bypass?

In an MFA bypass the attacker attempts to avoid and circumvent MFA to gain access to the user’s account. MFA bypass attacks have become more frequent in modern-day attacks. But let us understand how MFA verifies identity.

How does MFA verify identity?

MFA uses any two of these aspects to verify an identity.

• A Knowledge factor – all MFAs need a PIN or an OTP or require answering a security question. It provides security since it requires something only you would know and no one else would.
• A Possession factor – The second aspect that it relies on is something that only you would have. It can be an endpoint, a phone to receive push notifications, or a security key.
• An inheritance factor – Lastly it requires a unique part of your identity such as biometrics that can include your fingerprints, your retina scans, or your voice.

An attacker exploits weaknesses in these aspects to carry out an MFA attack. Let us explore the different ways through which attackers carry out MFA attacks.

How to prevent MFA attacks?

Now you must be wondering how to be safe from MFA attacks. Here are some ways you can reduce the possibility of becoming a victim of MFA attacks:

Set limits on push notifications

Disable push notifications as an authentication method and enable locking of accounts on too many MFA attempts. It can reduce the possibility of MFA Fatigue attack significantly.

Enable number matching

By enabling number matching, every time a user tries to sign in, they will be prompted with a code on their browser that they must input on their mobile device. It will require third party trying to sign in to contact the user to input code in the authenticator application.

Raise awareness on MFA attacks:

Chances are, there are many people who aren’t aware of MFA attacks. Attackers leverage this lack of knowledge to find weaknesses in security. Therefore, awareness becomes a fundamental defense pillar against MFA attacks.
Discover how attacker use different techniques to hack passwords