FBI: Attackers Continue to Exploit Unpatched Fortinet FlawsBureau Says Attackers Targeted Server for a US Municipal Government
Advanced persistent threat groups are continuing to exploit unpatched flaws in Fortinet products, the FBI says in a flash alert. For example, an APT group apparently recently exploited a Fortigate appliance to access a web server hosting the domain for a U.S. municipal government.
The group likely created an account with the username “elie” to further enable malicious activity on the network, according to the alert.
Earlier, the FBI issued a warning about three vulnerabilities in Fortinet's operating system, FortiOS (see: FBI and CISA: APT Groups Targeting Government Agencies).
The FBI says APT groups "are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors."
The bureau urges users of vulnerable Fortinet products to immediately patch the flaws to prevent attacks.
According to the FBI, the three FortiOS vulnerabilities that are still being exploited are:
- CVE-2018-13379: An improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via specially crafted HTTP resource requests;
- CVE-2020-12812: An improper authentication vulnerability in SSL VPN affecting multiple FortiOS versions that enables an attacker to successfully log in without authentication;
- CVE-2019-5591: A default configuration vulnerability in FortiOS that allows an unauthenticated attacker to intercept sensitive information by impersonating servers.
Fortinet said earlier that all three vulnerabilities were resolved by the company between August 2019 and July 2020, and patches were issued.
The FBI offered risk mitigation steps for Fortinet users that, beyond patching, include:
- Regularly back up data and password protect those backup copies.
- Implement network segmentation and have an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location - such as a hard drive, a storage device or in the cloud.
- Disable unused remote access or remote desktop protocol ports and monitor these tools.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.