APT actors exploiting Fortinet vulnerabilities to gain access to local governments

Designed by Freepik

A web server hosting the domain for a local government in the United States was recently breached by advanced hackers taking advantage of old vulnerabilities in firewalls sold by Fortinet, according to an FBI Flash Alert issued. After gaining access to the local government organization's server, the advanced persistent threat (APT) actors moved laterally through the network and created new domain controller, server, and workstation user accounts mimicking already existing ones.

Access gained by the APT actors can be leveraged to conduct data exfiltration, data encryption, or other malicious activity. The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors, says the FBI.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) previously warned in April 2021 that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591.

Tyler Shields, CMO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, explains, "This is a target of opportunity style of attack - for now. Issues in infrastructure related technologies lend themselves to a long tail of exploitability due to the difficulties in finding and updating these types of systems. This is the type of thing that will linger for quite some time. Now that the attack and exploit has been made public, there is a good chance you will begin to see more targeted infiltrations."

"The critical information to note here is that all of these vulnerabilities are at least a year old at this point. That the vulnerabilities are still being exploited underscores how critical patch management is for every enterprise. All of the FBI's recommendations take a page from almost every best practice security guide available, and it's good to get a reminder because it's not just Fortinet threat actors are targeting," notes Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. "Using least privilege principles, performing regular updates and patching, using network segmentation, using backups, and strengthening login processes all go a long way to securing the estate. It's safe to say most criminal groups and APTs are counting on enterprises not being great at doing all of these things, and their continued success only highlights that fact.

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, says, "Is anyone surprised about APT groups exploiting month or year old vulnerabilities in infrastructure devices successfully, even in a municipal government network? That they haven't been patched by now? Quite often the only 'sophistication' those APT groups need to have is patience and a good search capability. The rest is done by the victims. The cyber security essentials, critical controls as recommended by many, are there to break the cyber kill chain. Do it, secure and harden your assets, detect any malicious change to them, be aware of your critical devices, make it harder for the APTs to get you."

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?