Welcome to 25’ courtesy of Fortinet
- Mike Weinstock
- Jan 17
- 3 min read
I hope you all had a wonderful holiday and are feeling as energised and excited about what 2025 holds for you.
As I was working on the content and outline of our first blog for the year, the news about CVE-2024-55591 started working its way around the world. If you have any instances of FortiOS or FortiProxy in your environment please stop whatever else you are doing and read Fortinet’s advisory https://fortiguard.fortinet.com/psirt/FG-IR-24-535
At Compassa we are focussed on applying a threat informed lens founded on the great work being done by the MITRE Center for Threat Informed Defence. The Fortinet advisory provides an opportunity to leverage a real world example to demonstrate what this means in practical terms.
But first thing first.
If you are not a Fortinet customer and have just breezed past the advisory wondering what the fuss is about, the Australian Signals Directorate (ASD) alongside the Australian Cyber Security Centre (ACSC) have published a critical alert due to the severity of the impact and most importantly observations of active exploitation.
If you are a Fortinet customer and you have followed the guidance from the advisory, hopefully you patched or upgraded the affected devices and reviewed your logs for the indicators of compromise - you can think about what to do next. The lessons from this event and other similar events from other network appliance vendors are pertinent.
This latest episode of a network appliance getting compromise immediately reminded me of episode #772 of Risky Business (if you are going to listen to one cybersecurity podcast, Risky Business is the one ). One of the themes of the episode was discussing the Salt Typhoon activity that resulted in a broad compromise of most US telecommunications providers. One of the salient points was the elements which were targeted within the telecommunications providers were primarily network devices and appliances. All these network devices share a common weakness, they lack the security instrumentation and telemetry of the caliber a modern End Point Detection Response (EDR) tool provides. Most (All?) Enterprises have EDR deployed, the challenge is EDR can't be deployed everywhere. Network and security devices, from vendors such as Fortinet, Palo Alto, Sophos, Ivanti and Citrix, are closed eco systems which do not support installation of third party software. I only note those vendors as they all have had to address critical, exploited vulnerabilities in recent times.
So where are we now? We know state sponsored threat actors like Salt Typhoon are targeting network devices, we know the ransomware operators are following in those footsteps and we know those network devices lack the sophisticated EDR telemetry which is available on Windows/Linux/MacOS. We all wish Fortinet and the others would have more robust controls to pick up these vulnerabilities before they get exploited in the wild, however in the meantime we need to act.
Actions to consider;
Identify all network appliances in your environment, prioritize high value devices such as firewalls, VPN/remote access appliances, proxys, core routers and switches.
Ensure they are configured to direct logging to a central, immutable log server or Security Information and Event Management (SIEM) platform.
At a minimum ensure the logging includes;
Successful and failed login attempts - including source IP address and access method for example web interface or secure shell (SSH).
All configurations changes - including changes to logging settings.
User account changes - new users being created, existing users being granted more access or having access revoked.
Verify that all devices leverage a network time (NTP) server to ensure log time stamps from all devices support a logical timeline.
This is mentioned in the Fortinet advisory but worth repeating - restrict access to the management interface by white listing networks or specific IP addresses.
Take the time to review any vendor specific security and audit functionality the network appliances may support and consider whether they add value.
Ensure events are reviewed daily and create alerts for failed login attempts.
There is always more you can do, but the above is a good place to start for all devices that interact with external and third party network traffic.
Not unlike 24’, our world will continue experiencing choppy geo-political seas which will impact our digital landscape, and folk motivated by financial gain looking for their next victim. While we should continue improving our EDR performance and continuously review our SIEM correlations, let's not forget about those unseen, critical devices - network appliances. Welcome back to 25’.
We are here to help with this type of challenge, drop us a note if you would like to have a chat.
Have we missed anything? Would love to hear your thoughts.
With passion,
Compassa
Commentaires