The FBI believes state-sponsored attackers penetrated the local government’s site after compromising a Fortinet application.
Fortinet develops cybersecurity solutions and products such as firewalls, plus software and services such as anti-virus protection, intrusion prevention systems and endpoint security components.
“As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government,” the FBI’s Cyber Division said in a TLP:WHITE flash alert published today.
An advanced persistent threat (APT) actor managed to move laterally across the network and established new domain controller, server, and workstation user identities resembling previously existing ones.
APT attackers also created ‘WADGUtilityAccount’ and ‘elie’ accounts on compromised computers.
This APT will most likely use this access to exfiltrate data from the victims’ network, according to the FBI.
Since attackers are targeting a broad spectrum of victims across different industries indicates the campaign is focused on exploiting weaknesses, not on a specific industry.
The FBI and the CISA also recently warned of state-sponsored hacker organizations that have exploited CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 Fortinet vulnerabilities.
Additionally, threat actors are searching for weak devices on ports 4443, 8443, and 10443 that are missing the patch for CVE-2018-13379.
“APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the two federal agencies said.
The FBI and CISA have provided ways to mitigate these state-sponsored attacks.
Over the years, state-sponsored hackers have attacked unpatched Fortinet systems many times. For example, Fortinet SSL VPN vulnerability was exploited to compromise unprotected US election support systems.
A threat actor published in November 2020 a single-line CVE-2018-13379 exploits that could be used to hack about 50,000 Fortinet VPN systems, including governments and banks.
Multiple severe vulnerabilities were found in Fortinet products earlier this year. The patched issues included RCE, SQL injection, and DoS vulnerabilities affecting FortiProxy SSL VPN and FortiWeb WAF products.