APT Breached Local Government Using Fortinet Vulnerability, FBI Says

Written by Benjamin Freed
May 27, 2021 | UNITED STATES

A web server hosting the domain of a local government in the United States was recently hacked by advanced hackers taking advantage of old vulnerabilities in firewalls sold by Fortinet, according to a FBI Alert released Thursday.

According to the bulletin, an advanced group of persistent threats – a term that generally refers to state-backed actors – have gained access to municipal government and may have set up new user accounts to access controllers, servers and devices. active directories.

“As of at least May 2021, a group of APT players have almost certainly operated a Fortigate appliance to access a web server hosting the domain of a US city government,” the alert said, referring to the range of Fortinet firewall, which the company sells as cloud-. based software, virtual machines and physical units.

The vulnerabilities that the FBI said allowed the APT to enter the local government in question had been disclosed by Fortinet in 2018, 2019 and 2020, with the company issuing patches at the time. But organizations are sometimes slow to install patches, often to the advantage of malicious actors.

The FBI and the Cybersecurity and Infrastructure Security Agency posted a review last month warning that APT actors “are looking for these vulnerabilities to access multiple networks of government, business and technology services.”

“APT actors can use all or part of these CVEs to access the networks of several critical infrastructure sectors in order to access key networks as pre-positioning for data exfiltration or encryption attacks. data ”, continues this opinion. State.

The specific vulnerabilities mentioned in Thursday’s alert relate to configurations in FortiOS, Fortinet’s proprietary operating system.

The FBI said the APT hackers may have created a fake account on municipal government systems using the account name “elie”. This account and others, the office warned, could allow malicious hackers to perform further attacks.

“Some of these accounts appear to have been created to look like other existing accounts on the network, so specific account names may vary by organization,” the alert said.