The IT Nerd

 Fortinet today announced that it has entered into a definitive agreement to acquire Lacework, the data-driven cloud security company.

Lacework delivers a leading AI-powered cloud security platform that seamlessly integrates all critical CNAPP services. With patented AI and machine learning technology, an agent and agentless architecture for data collection, a homegrown data lake, and a powerful code security offering, Lacework is trusted by nearly 1,000 customers to deliver comprehensive security from code to cloud.

Fortinet is renowned for its cybersecurity innovation with more patents than the nearest three competitors combined and over 100 inclusions in industry analyst reports, including recognition in eight Gartner® Magic Quadrant™ reports. Fortinet delivers its solutions as part of the Fortinet Security Fabric, an integrated cybersecurity platform that spans Secure Networking, AI-driven Security Operations, and Unified SASE, which includes access and cloud security.

Fortinet intends to integrate Lacework’s CNAPP solution into Fortinet’s Unified SASE offering, forming one of the most comprehensive, full stack AI-driven cloud security platforms available from a single vendor. This will help customers identify, prioritize, and remediate risks and threats in complex cloud-native infrastructure from code to cloud.

This strategic acquisition aligns with Fortinet’s growth strategy in the Unified SASE market, which includes solutions for securing access and cloud, and underscores the company’s commitment to innovation and integration. As part of the acquisition, Fortinet is committed to a seamless transition for Lacework customers and partners. Backed by Fortinet’s proven leadership and expertise, Lacework customers will be able to benefit from access to Fortinet’s global reach, extensive scale, vast resources, and industry-leading threat intelligence while continuing to leverage their existing security infrastructure investments.

Financial terms of the transaction were not disclosed. The transaction, which is expected to close in the second half of 2024, is subject to required regulatory approvals and other customary closing conditions. Goldman Sachs & Co. LLC is acting as exclusive financial advisor to Lacework. Cooley LLP is acting as legal counsel to Lacework, and Fenwick & West LLP is acting as legal counsel to Fortinet.

If you have a FortiGate SSL VPN appliance, it’s time to patch it as a critical vulnerability has been discovered which if exploited can be used to hijack the appliance:

In a recent blog post, French researchers Olympe Cyberdefense said the flaw would let a “hostile agent interfere via the VPN, even if the multi-factor authentication was activated.”

The researchers said patches have been issued in FortiOS firmware for the following versions: 7.0.12, 7.2.5, 6.4.13 and 6.2.15 — and that they are waiting for more details to be released tomorrow on June 13. 

Fortinet has a general practice of putting out security patches prior to disclosing critical vulnerabilities to give its customers time to patch before threat actors get ahold of the information.

On June 11, Lexfor Security researcher Charles Fol published a tweet confirming the flaw, saying that Fortinet published a patch for CVE-2023-27997, which was reserved by Fortinet with MITRE. Fol said it was an RCE that’s reachable pre-authentication on every Fortinet SSL-VPN appliance and advised patching immediately.

Joe Saunders, CEO, RunSafe Security had this comment:

Chasing patches and developing urgent fixes is a continuously losing battle. We need a way to achieve memory safety in code so we don’t have to play this cat and mouse game in perpetuity.

Given the fact that threat actors will often use information like this to create attacks, I’d get to patching this flaw ASAP to protect your enterprise.

Sophisticated attackers are using a recent CVE vulnerability patched by FortiOS earlier this month to target government and large organizations. The patch for CVE-2022-41328 was released by Fortinet on March 7th for what FortiOS called a high-severity security vulnerability (CVE-2022-41328) that allows attackers to execute unauthorized code or commands.

In a report last week Fortinet revealed that a hack on one of its customers caused all of their FortiGate devices to begin shutting down at the same time, with “System enters error-mode due to FIPS error: Firmware Integrity self-test failed” messages and they failed to boot again. The FIPS-enabled devices verify the integrity of system components and if an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network.

The FortiGate firewalls were breached via a FortiManager device on the victim’s network and appeared to have been hacked using the same tactics. The investigation showed that the attackers modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.

“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said.

The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”

Horizon3.ai Exploit Developer James Horseman had this to say:

   “The level of sophistication demonstrated in this attack indicates that the attackers have a deep understanding of FortiOS, which suggests that they have considerable resources and expertise at their disposal. This is likely a targeted attack, as indicated by Fortinet’s statement that there are “hints of preferred governmental or government-related targets.”

   “It is worth noting that the writeup from Fortinet does not provide information on how the attackers gained initial access, which is a crucial part of understanding the full scope of the attack. While CVE-2022-41328 allows for the execution of unauthorized code or commands, it requires privileged access. This suggests that the attackers either obtained credentials for the FortiGate/FortiManager devices or used another exploit to gain remote code execution. It is also possible that the attackers used an undisclosed 0-day to gain initial access.

   “Given the severity of the vulnerability and the potential for the attackers to have gained privileged access to the targeted systems, organizations that use FortiOS should take immediate steps to patch the vulnerability and monitor their systems for any suspicious activity. Additionally, it is important to stay informed about any new developments in this attack to understand its full impact and how the attackers were able to again initial access.”
 

David Maynor, Senior Director of Threat Intelligence, Cybrary follows up with this comment:

   “Fortinet has turned into the Ground Hog Day of vulnerabilities.”

What he’s referencing is that this isn’t the first go round with vulnerabilities related to Fortinet products:

In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.

Thus I suspect that enterprises that own Fortinet gear may be thinking twice about having it on their networks.