FBI Warning Regarding Persistent Exploitation of Fortinet Vulnerabilities by APT Groups

The Federal Bureau of Investigation (FBI) has released a Flash Advisory cautioning Fortinet Fortigate appliances users that Advanced Persistent Threat (APT) groups are going to exploit devices that lack patching for three CVEs: CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379.

These aren’t zero-day vulnerabilities, because patches are already accessible for a time. Numerous businesses are actually slow to employ the patches and are right now being targeted. In early April, the FBI, together with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) published a Joint Cybersecurity Advisory telling that threat actors can exploit the vulnerabilities to execute data exfiltration, data encryption, and to pre-position for follow-on attacks.

In the latest Flash Alert, the FBI established that an APT actor is trying to use the vulnerabilities beginning at least May 2021, and more or less certainly took advantage of the vulnerabilities to get access to a web server that hosts a U.S. municipal government domain. On that occasion, the threat actors perhaps generated a new account – referred to as elie – for doing even more malicious activities on the system.

Attacks that exploit the vulnerabilities don’t look like targeted at any specified industry market, instead, the APT group is merely seeking to make use of unpatched vulnerabilities. At this point, victims were in an extensive range of industries.

The APT actor generates new user accounts on domain controllers, workstations, servers, and active directories. Aside from generating accounts known as elie and WADGUtilityAccount, they created new accounts that look the same as real existing accounts on the network and have been unique to each victim firm.

The APT actor is well-known to make alterations to the Task Scheduler that may exhibit as unrecognized assigned tasks or ‘actions’, specifically, connected with SynchronizeTimeZone. Various tools were utilized in the attacks, such as MinerGate for cryptocurrency mining, Mimikatz for credential theft, SharpWMI for Windows Management Instrumentation, BitLocker for data encryption, WinPEAS for privilege escalation, and FileZilla for file transfers, having outbound FTP transfers set over port 443.

Fortigate appliances end-users must make certain that patches are employed without delay to resolve the previously mentioned vulnerabilities, and non FortiOS users must include key artifact files employed by FortiOS to execution denylists to prohibit any attempts to operate FortiOS and its linked files.

Considering that exploitation may have already taken place, system facilitators need to examine servers, workstations, domain controllers, and active directories for new or unknown user accounts and Task Scheduler needs to be evaluated for any unidentified planned tasks. The FBI furthermore endorses manually examining operating system defined or known timetabled tasks for unknown “actions.” Antivirus logs ought to also be looked over for clues that they were all of a sudden deactivated.

Additional mitigations to manage the threat are explained in the Flash Notification, a copy of which can be found from the American Hospital Association here.