Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FBI Shares IOCs for APT Attacks Exploiting Fortinet Vulnerabilities

The FBI on Thursday published indicators of compromise (IOCs) associated with the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks.

The FBI on Thursday published indicators of compromise (IOCs) associated with the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks.

In early April, the FBI along with the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors had been targeting serious security holes in Fortinet’s flagship operating system FortiOS for initial access into victims’ networks.

The targeted bugs include CVE-2018-13379 (a path traversal in the FortiOS SSL VPN web portal), CVE-2020-12812 (a bypass of FortiOS SSL VPN two-factor authentication), and CVE-2019-5591 (default configurations ship without LDAP server identity verification).

While initial activity only involved scanning for devices vulnerable to the FortiOS SSL VPN web portal flaw (on ports 4443, 8443, and 10443), as well as enumeration of devices potentially impacted by the other two bugs, the attackers have since moved to network compromise and additional malicious activity.

“As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The APT actors likely created an account with the username ‘elie’ to further enable malicious activity on the network,” the FBI now says.

The agency says that another account likely associated with this activity is “WADGUtilityAccount,” which, similar to “elie,” threat actors might have established on active directories, domain controllers, servers, and workstations. Network administrators should also look for other unrecognized accounts.

Additionally, admins should be wary of executable files such as Audio.exe (or frpc.exe) and Frps.exe, of outbound FTP traffic on port 443, a scheduled task named “SynchronizeTimeZone,” and the use of tools such as Mimikatz, MinerGate, WinPEAS, SharpWMI, BitLocker, WinRARwhere, and FileZilla. Some of these might be benign, unless used when unexpected, the FBI notes.

Administrators are also advised to take all the necessary measures to ensure the security of networks, including keeping systems patched and continuously updated, implementing network segmentation and multi-factor authentication, applying the principle of least privilege, keeping data backed up, employing malware detection tools, and periodically checking the environment for suspicious activity.

Advertisement. Scroll to continue reading.

Related: Cring Ransomware Targets Industrial Organizations

Related: Industry Reactions to FBI Cleaning Up Hacked Exchange Servers: Feedback Friday

Related: FBI: 16 Conti Ransomware Attacks Targeted Healthcare, First Responders in U.S.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...