FBI issues warning about Fortinet vulnerabilities after APT group hacks local goverment office

The FBI release did not say which government office had been attacked through a Fortigate appliance.
Written by Jonathan Greig, Contributor

The FBI issued a flash alert on Thursday after a local government office was attacked through Fortinet vulnerabilities earlier this month. 

The release said an "APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a US municipal government." 

"The APT actors likely created an account with the username 'elie' to further enable malicious activity on the network," according to the white flash alert. 

The FBI did not say which local government was attacked, but the latest release follows multiple warnings about cyberattackers exploiting vulnerabilities related to Fortinet. 

"As of at least May 2021, the FBI and the CISA previously warned in April 2021 that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020-12812 and FortiOS CVE-2019-5591," the FBI said. 

By breaking into systems through Fortinet vulnerabilities, cybercriminals or nation-states can "conduct data exfiltration, data encryption, or other malicious activity." The release noted that from their investigations, it seems that the actors behind the attack are focused on exploiting this specific vulnerability as opposed to attacking specific targets or industries. 

All of the vulnerabilities listed relate to Fortinet FortiOS, an operating system that is the backbone of Fortinet Security Fabric. The company said it was designed to offer better enterprise security, cloud deployments, and centralized networks. But despite the warnings, it appears APT groups are still able to leverage the vulnerabilities. 

In a statement to ZDNet, Fortinet said "CVE-2018-13379 is an old vulnerability resolved in May 2019" that the company immediately issued a PSIRT advisory for. The company said it also "communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade." 

"Also resolved in 2019, CVE-2019-5591 is an older vulnerability as well as CVE-2020-12812, which was resolved in July 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations," the company added.

Sean Nikkel, the senior cyber threat intel analyst at Digital Shadows, noted that all of the vulnerabilities listed in the notice are at least one year old, spotlighting the need for government institutions to improve patch management. 

"It's good to get a reminder because it's not just Fortinet threat actors are targeting. Using least privilege principles, performing regular updates and patching, using network segmentation, using backups, and strengthening login processes all go a long way to securing the estate," Nikkel said. "It's safe to say most criminal groups and APTs are counting on enterprises not being great at doing all of these things, and their continued success only highlights that fact."

Editorial standards