The Federal Bureau of Investigation (FBI) has given a Flash Notification cautioning Fortinet Fortigate appliances end users that Advanced Persistent Threat (APT) groups are planning to target devices that haven’t been patched for three vulnerabilities: CVE-2020-12812, CVE-2018-13379, and CVE-2019-5591.
These are not zero-day vulnerabilities, since patches are offered for a while. A lot of companies are slow to use the patches and are currently being targeted. At the beginning of April, the FBI, along with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) gave a Joint Cybersecurity Advisory saying that attackers can take advantage of the vulnerabilities to perform data exfiltration and encryption, and to pre-set for follow-on cyberattacks.
In the new Flash Alert, the FBI affirmed that an APT group is trying to take advantage of the vulnerabilities starting at least May 2021, and pretty much certainly used the vulnerabilities to obtain access to a web server hosting a U.S. municipal government domain. In that case, the threat actors probably made a new account – called elie – for performing more malicious activities on the account.
Attacks taking advantage of the vulnerabilities don’t seem to be targeted on any particular industry segment, instead, the APT actor is just seeking to take advantage of unpatched vulnerabilities. Thus far, victims were in a wide range of industry areas.
The APT group makes new user accounts on workstations, domain controllers, active directories and servers. Besides making accounts called elie and WADGUtilityAccount, they made new accounts that appear identical to legit existing accounts on the system and were specified to every victim company.
The APT actor is identified to make changes to the Task Scheduler that may show as unknown timetabled tasks or ‘actions’, particularly, linked to SynchronizeTimeZone. A number of tools were utilized in the attacks, which include MinerGate for cryptocurrency mining, SharpWMI for Windows Management Instrumentation, Mimikatz for credential theft, WinPEAS for privilege escalation, BitLocker for data encryption, and FileZilla for file transfers, along with outbound FTP transfers determined over port 443.
Fortigate appliances end users must make sure that patches are used immediately to fix the earlier mentioned vulnerabilities, and non FortiOS users need to put key artifact files employed by FortiOS to execution denylists to prevent any attempts to execute FortiOS and its related files.
Given that exploitation may have already happened, system moderators ought to evaluate servers, domain controllers, workstations, and active directories for new or unidentified user accounts and Task Scheduler must be analyzed for any unknown timetabled tasks. The FBI likewise advises manually going over operating system defined or identified slated tasks for unidentified “actions.” Antivirus logs ought to also be analyzed for signs that they were suddenly switched off.
More mitigations to handle the threat are discussed in the Flash Warning, a copy of which can be obtained from the American Hospital Association on this page.