This alert is relevant to all Australians and Australian organisations that utilise Fortinet devices. This alert is intended for a technical audience.

Background

The ASD’s ACSC is aware of public reporting of a widespread malicious campaign against Fortinet Firewalls and VPN gateways, largely utilising exposed credentials and credential-based attacks, leading to potential compromise and further credential exposure.

Leveraging these credentials could enable malicious actor’s remote access to the devices and connected networks, as well as allow changes to various settings, including security controls.

Mitigation advice

ASD’s ACSC advises all organisations that use Fortinet Firewall or VPN services to ensure the following:

• Rotate credentials – all admin and VPN credentials should be rotated immediately.
• Ensure devices are patched – to prevent attackers from exploiting existing vulnerabilities in older firmware.
• Restrict management interface exposure – to reduce the attack surface of your Fortinet infrastructure, ensure firewall admin/management interfaces are not internet accessible unless necessary.
• Enforce Multi-Factor Authentication (MFA) – for all external interfaces to minimise the impact of stolen credentials.
• Ensure credentials are being stored with PBKDF2 hashing – to prevent the offline brute forcing of credentials. All admin accounts should be logged back into once devices are fully updated to force the encryption to change to PBKDF2.
• Examine logging for malicious activity – review authentication logs, access logs, investigate abnormal logins or changes.

Where to get help

Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371).