Older Fortinet Vulnerabilities Lead to Attack on Local Government Office

A new FBI warning on older Fortinet vulnerabilities shows cybercriminals continue to have an advantage when organizations delay installing patches.

An advanced persistent threat (APT) actor group recently breached a local government by exploiting older Fortinet vulnerabilities. The group “almost certainly” exploited a Fortigate appliance to access a web server hosting the local government’s domain. The FBI isn’t identifying the local government.

The APT actors likely created an account with the username “elie” to further enable malicious activity on the network. Last month, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APT actors had gained access to devices on ports 4443, 8443 and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020-12812 and FortiOS CVE-2019-5591.

What the Actors Can Do

The APT actors can do data exfiltration, data encryption or other malicious activity. They are actively targeting a broad range of victims across multiple sectors. That indicates the activity is focused on exploiting vulnerabilities rather than targeting specific sectors.

Moreover, they may have established new user accounts on domain controllers, servers, workstations and active directories, according to the FBI. Some of these accounts appear to mimic other existing accounts on the network, so specific account names may vary per organization.

In addition to unrecognized user accounts or accounts masquerading as existing accounts, the account usernames “elie” and “WADGUtilityAccount” may be associated with this activity.

Fortinet sent us the following statement:

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a product security incident response team (PSIRT) advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”

More Targeted Infiltrations Likely

Tyler Shields, JupiterOne‘s CMO, said this is a “target of opportunity” style of attack exploiting Fortinet vulnerabilities, for now.

JuipiterOne’s Tyler Shields

“Issues in infrastructure-related technologies lend themselves to a long tail of exploitability due to the difficulties in finding and updating these types of systems,” he said. “This is the type of thing that will linger for quite some time. Now that the attack and exploit has been made public, there is a good chance you will begin to see more targeted infiltrations.”

Scroll through our gallery above for more on the FBI warning and more cybersecurity news.