Heimdal
article featured image

Contents:

After issuing a cybersecurity advisory informing that APT hacking groups are deliberately targeting vulnerabilities in Fortinet FortiOS, the FBI now warns that state-sponsored attackers breached the webserver of a U.S. municipal government after hacking a Fortinet appliance.

In a flash alert published on Thursday, the agency’s Cyber Division revealed that

As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The APT actors likely created an account with the username “elie” to further enable malicious activity on the network.

After gaining access to the local government organization’s server, the advanced persistent threat (APT) operators created new domain controller, server, workstation user accounts, and active directories. Some of these accounts appear to have been created to mimic already existing accounts on the network, therefore specific account names may vary per organization.

The FBI believes that this APT group will most likely use this access to gather and exfiltrate data from the victims’ network.

Access gained by the APT actors can be leveraged to conduct data exfiltration, data encryption, or other malicious activity. The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.

Source

Last month, the FBI and CISA detected APT attackers scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379 in FortiOS. They also observed attackers scanning enumerated devices for CVE-2020-12812 and CVE-2019-5591.

As soon as they breach a vulnerable server, the threat actors will use them in future attacks targeting networks across critical infrastructure sectors.

The Advanced Persistent Threat (APT) actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks.

Source

The two agencies have also suggested different mitigation measures to protect systems from ongoing state-sponsored attacks exploiting the above issues.

Unpatched Fortinet servers have been continuously targeted by threat actors over the years.

Just this April, cybercriminals were actively exploiting the CVE-2018-13379 vulnerability in Fortinet VPNs to deploy a brand-new type of ransomware, tracked as Cring ransomware to companies in the industrial sector.

State-sponsored hackers have also abused the CVE-2018-13379 Fortinet SSL VPN vulnerability to compromise Internet-exposed U.S. election support systems.

In November 2020, a threat actor shared a list of one-line CVE-2018-13379 exploits that could be employed to steal VPN credentials for 49,000 Fortinet VPN servers, including high street banks and government organizations from around the world.

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE