The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning of the continued exploitation of Fortinet Fortigate vulnerabilities by Advanced Persistent Threat (APT) Groups.
In the Alert, the FBI said it is almost certain that an APT actor exploited the vulnerabilities to access a web server hosting the domain for a U.S. municipal government and the flaws have been exploited since at least May 2021. Once access was gained, the group created an account named elie which was used to conduct further malicious activity on the network.
The FBI and the Cybersecurity and infrastructure Security Agency (CISA) had previously issued a joint alert in April warning of exploitation of Fortinet flaws by APT actors, specifically CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 in FortiOS. Access to devices is gained via ports 4443, 8443, and 10443.
Once the vulnerabilities have been exploited, the APT actors can move laterally, exfiltrate data, encrypt files, and perform a range of other malicious actions. While government agencies and departments have been attacked, attacks have been conducted on a broad range of targets in multiple sectors, which suggests the group is targeting the vulnerabilities rather than specific targets.
The FBI warns that the APT actors may have created new accounts on domain controllers, servers, workstations, and the active directories to carry out malicious activities. The attackers have taken steps to hide these new accounts by using a similar naming convention to existing accounts on the network, as well as creating accounts named “elie” and “WADGUtilityAccount.”
The attackers have used a range of different tools in the attacks including Mimikatz, MigerGate, WinPEAS, ShaarpWMI, BitLocker, WinRAR, and FileZilla, with FTP transfers taking place over Port 443.
Several mitigations have been suggested to prevent exploitation of the flaws, especially patching the CVEs 2018-13379, 2020-12812, and 2019-5591. These vulnerabilities are not zero-days. Patches have been available for some time to fix the flaws, yet many organizations have been very slow to patch.
If FortiOS is not used, the FBI recommends adding the key artifact files used by FortiOS to your organization’s execution denylist, reviewing domain controllers, servers, workstations, and active directories for new or unrecognized user accounts, and reviewing Task Scheduler for unrecognized scheduled tasks and manually reviewing operating system defined or recognized scheduled tasks for unrecognized “actions.”