FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors

The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning users of Fortinet Fortigate appliances that Advanced Persistent Threat (APT) groups are targeting devices that have not been patched for three CVEs: CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812.

These are not zero-day vulnerabilities, as patches have been available for some time. Many organizations have been slow to apply the patches and are now being targeted. In early April, the FBI, in conduction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning that the vulnerabilities could be exploited by threat actors to conduct data exfiltration, data encryption, and to pre-position for follow-on attacks.

In the recent Flash Alert, the FBI confirmed that an APT actor has been attempting to exploit the vulnerabilities since at least May 2021, and almost certainly exploited the vulnerabilities to gain access to a webserver hosting the domain for a U.S. municipal government. In that instance, the threat actors most likely created a new account – named elie – for conducting further malicious activities on the network.

Attacks exploiting the vulnerabilities do not appear to be targeted on any specific industry sector, instead the APT actor is simply attempting to exploit unpatched vulnerabilities. To date, victims have been in a broad range of industry sectors.

The APT actor creates new user accounts on domain controllers, servers, workstations, and the active directories. In addition to creating accounts named elie and WADGUtilityAccount, new accounts have been created to look similar to legitimate existing accounts on the network and have been specific to each victim organization.

The APT actor is known to make modifications to the Task Scheduler that may display as unrecognized scheduled tasks or ‘actions’, in particular, associated with SynchronizeTimeZone. Several tools have been used in the attacks, including Mimikatz for credential theft, MinerGate for cryptocurrency mining, WinPEAS for privilege escalation, SharpWMI for Windows Management Instrumentation, BitLocker for data encryption, and FileZilla for file transfers, with outbound FTP transfers identified over port 443.

Users of Fortigate appliances should ensure that patches are applied as soon as possible to correct the above vulnerabilities, and non FortiOS users should add key artifact files used by FortiOS to execution denylists to block any attempts to run FortiOS and its associated files.

Since exploitation may have already occurred, system administrators should review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts and Task Scheduler should be reviewed for any unrecognized scheduled tasks. The FBI also recommends manually reviewing operating system defined or recognized scheduled tasks for unrecognized “actions.” Antivirus logs should also be reviewed for indications that they were unexpectedly turned off.

Further mitigations to deal with the threat are detailed in the Flash Alert, a copy of which is available from the American Hospital Association on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.