The United States Federal Bureau of Investigation issued a flash warning Thursday over the exploitation of Fortinet vulnerabilities by advanced persistent threat (APT) groups.
According to the FBI, an APT actor group has “almost certainly” been exploiting a FortiGate appliance since at least May 2021 to access a web server hosting the domain for a US municipal government.
The APT actors may have established new user accounts on domain controllers, servers, workstations, and the active directories to help them carry out malicious activity on the network.
“Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,” said the FBI. However, the Feds warned organizations to be on the lookout for accounts created with the usernames “elie” or “WADGUtilityAccount.”
Once inside a network, the APT actors can conduct data exfiltration, data encryption, or other malicious activity.
The alert comes just one month after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591.
The cyber-criminal activity appears to be focused on exploiting particular vulnerabilities rather than specific sectors, as the APT actors have been observed actively targeting a broad range of victims across multiple industries.
“The fact that we continue to see these legacy vulnerabilities being exploited in spite of these alerts is a cautionary tale that unpatched flaws remain a valuable tool for APT groups and cyber-criminals in general,” commented Satnam Narang, staff research engineer at Tenable.
They added: “Unpatched vulnerabilities, not zero-days, are the biggest threat to most organizations today because it gets attackers to their end goal in the fastest and cheapest way. It is imperative that both public sector and private organizations that use the FortiGate SSL VPN apply these patches immediately to prevent future compromise.”
Narang said that the risk posed by unpatched vulnerabilities was further heightened by the broad shift of the workforce to remote working over the past year.