Alert essentials:
Researchers found bad actors can avoid the authorization step of FortiClient logging. Instead, they can use this flaw to prevent the detection of brute-force attacks and disguise malicious behavior as legitimate.
A proof-of-concept is available. Use multifactor authentication on VPNs and monitor logs for indicators of compromise.
Detailed threat description:
A recently disclosed vulnerability in the FortiClient VPN server software highlights a significant blind spot in logging mechanisms, potentially allowing attackers to execute malicious activities undetected. The vulnerability emphasizes how insufficient logging of VPN client activities can leave organizations, particularly in critical sectors like healthcare, blind to malicious access or data exfiltration.
Researchers discovered that a successful login is recorded if both the authentication and authorization steps are successfully processed.
However, they also developed a technique that halts the complete login process after the authentication stage, allowing them to validate VPN credentials without logging the success.
The FortiClient VPN logging gap allows attackers to bypass robust security measures by exploiting insufficient or non-existent client-level logging, particularly in split-tunneling configurations. Attackers can exploit this vulnerability to conduct brute-force attacks without detection.
Additionally, with a bank of leaked credentials, a hacker could quickly determine valid VPN users and utilize those accounts to disguise malicious activities.
This risk is not associated with a CVE, and a proof-of-concept has been released. While Fortinet admits this is a blind spot, the company does not consider the discovery a vulnerability.
Impacts on healthcare organizations:
This oversight allows the exfiltration of sensitive data or unauthorized access to critical systems without triggering alerts. Therefore, the FortiClient VPN logging vulnerability highlights a critical need for healthcare organizations to reassess and strengthen their VPN configurations and monitoring mechanisms.
Attackers are increasingly targeting hospitals for ransomware and data theft, so visibility into all VPN activities is essential to maintaining security and operational integrity.
Given the critical nature of healthcare operations, it is imperative to address this vulnerability immediately.
Affected Products / Versions:
Indicators of Compromise (IoCs)
- Inconsistent login patterns or access attempts from unexpected geographic locations
- Split tunneling policies set up without IT approval
- Outbound traffic to unknown or suspicious IP addresses bypassing the VPN tunnel
- Logs showing attempts to elevate user privileges following a VPN session
- Repeated login failures from external IP addresses
- Research found that after a few minutes, a log of “SSL tunnel shutdown” was created for users who were validated; theoretically, detection could be devised based on users with an “SSL tunnel shutdown” log without an “SSL tunnel established” log before it
Recommendations
Engineering recommendations:
- Require MFA for all VPN access to reduce the risk of unauthorized access from compromised credentials
- Adopt Zero Trust principles by validating user identity and endpoint compliance before granting VPN access
- Ensure logging of all FortiClient VPN sessions, including split-tunneling traffic, is enabled
- Consider upgrading to newer versions or configurations that support comprehensive logging
- Enable enriched metadata collection for FortiClient logs to capture more detailed session activity
- Regular audits and updates to the VPN system are recommended to ensure ongoing security
- Review existing split-tunneling policies to ensure compliance with security standards
- If possible, turn off split tunneling across all VPN clients to ensure all traffic flows through secure channels monitored by IT
- Analyze VPN session logs for unusual login times, session durations, and IP address geolocations
- Proactively look for indicators of lateral movement or unauthorized network access
- Educate users on VPN security best practices, such as avoiding suspicious links or downloads while using the VPN
Leadership/ Program recommendations:
- Train IT teams on detecting and responding to threats that leverage VPN blind spots
- Adding a Web Application Firewall (WAF) before the VPN server could potentially detect these kinds of attacks
- Use a Security Information and Event Management (SIEM) solution to centralize VPN session logs and detect anomalies
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Blackberry blog: https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign
- GitHub IoCs: https://github.com/volexity/threat-intel/blob/main/2024/2024-11-15%20BrazenBamboo/rules.yar
- Volexity Analysis: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata
