Fortinet
Fortinet

FBI says an APT breached a US municipal government via an unpatched Fortinet VPN

The Federal Bureau of Investigation said today that foreign hackers had breached the network of a local US municipal government after exploiting vulnerabilities in an unpatched Fortinet networking appliance.

The intrusion was detected this month, in May 2021, the FBI said in an industry alert [PDF] published on one of its websites.

The hack comes after the FBI had previously warned the US private sector and government agencies to patch Fortinet devices a month earlier, in April 2021.

At the time, the FBI said that foreign nation-state hacking groups—also known as Advanced Persistent Threats (APTs)—were scanning the internet for Fortinet devices vulnerable to three bugs tracked as CVE 2018-13379CVE-2020-12812, and CVE-2019-5591.

But despite the early alert, hackers appear to have been successful in breaching at least one organization.

As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.

FBI Flash Alert MI-000148-MW

The FBI said that in this particular intrusion, the attacker created a backdoor account named "elie," which they used to pivot from the compromised Fortinet VPN appliance to the victim's internal network.

Once the threat actor gained access to the victim's internal network, they usually created further backdoor accounts for future access on systems like domain controllers, servers, workstations, and active directories.

Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity

  • "ellie"
  • "WADGUtilityAccount"

FBI Flash Alert MI-000148-MW

The FBI is now urging organizations—once again—to patch their Fortinet devices.

By giving an example of a compromised entity, officials hope that organizations will take their current and previous warnings more seriously than before.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.