The FBI and the Cybersecurity (opens in new tab) and Infrastructure Security Agency (CISA) have shared details about threat attackers having breached the webserver of a US municipal government after exploiting vulnerabilities in the Fortinet VPN (opens in new tab) appliances.
The two agencies had previously warned (opens in new tab) Advanced Persistent Threat (APT) groups were likely exploiting several critical vulnerabilities in the Fortinet (opens in new tab) appliances. They specifically identified three vulnerabilities tracked as CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, urging users to patch them without delay.
"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver (opens in new tab) hosting the domain for a U.S. municipal government," observed the FBI's Cyber Division in a flash alert as it continued to warn users of unpatched Fortinet appliances.
- We’ve rounded up the best business VPN services (opens in new tab)
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
The advisory further shared that the threat actors are “actively targeting” victims across multiple sectors, which suggests that they are indiscriminately looking for vulnerable hosts rather than targeting someone in particular.
Dropping backdoors
Based on its analysis of the threat actor’s movements on the municipal government’s compromised system, the FBI shared that once they were in, they moved through the network and created new domain controller, server, and workstation user accounts.
The FBI suggests that the threat actors’ activities can possibly be leveraged for malicious activities including the collection and exfiltration of data from the victims' network.
"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) (opens in new tab) attacks, ransomware attacks (opens in new tab), structured query language (SQL) injection attacks, spear phishing campaigns, website defacements, and disinformation campaigns," warned the agencies in their earlier advisory, as they suggested some mitigations to help Fortinet users avoid being attacked.
- Here’s our list of the best VPN services (opens in new tab)
Via BleepingComputer (opens in new tab)