FBI issues Fortinet Flash warning
The U.S. Federal Bureau of Investigation issued a blitz on Thursday regarding the exploitation of vulnerabilities in Fortinet by Advanced Persistent Threat (APT) groups.
According to the FBI, a group of APT players “almost certainly” have been operating a FortiGate appliance since at least May 2021 to access a web server hosting the domain of a US city government.
APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories to help them conduct malicious activity on the network.
“Some of these accounts appear to have been created to look like other existing accounts on the network, so specific account names may vary by organization,” the FBI said. However, the federal government has warned organizations to be on the lookout for accounts created with “elie” or “WADGUtilityAccount” usernames.
Once inside a network, APT actors can perform data exfiltration, data encryption, or other malicious activity.
The alert comes just a month after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APT actors had access to devices on ports 4443, 8443 and 10443 for Fortinet FortiOS CVE-2018-13379, and to devices listed for FortiOS. CVE-2020-12812 and FortiOS CVE-2019-5591.
Cybercrime activity appears to be focused on exploiting particular vulnerabilities rather than specific sectors, as APT actors have been observed actively targeting a wide range of victims across multiple sectors.
“The fact that we continue to see these legacy vulnerabilities exploited despite these alerts is a warning that unpatched vulnerabilities remain a valuable tool for APT groups and cybercriminals in general,” commented Satnam Narang, Research Engineer at Tenable.
They added, “Unpatched vulnerabilities, not zero days, are the biggest threat to most organizations today because they allow attackers to reach their end goal in the fastest and least way. Dear. It is imperative that public and private sector organizations use SSL FortiGate VPN apply these fixes immediately to avoid future compromises. ”
Narang said the risk posed by unpatched vulnerabilities has been further heightened by the large shift in the workforce to remote work over the past year.