In a joint security alert published today, on Friday, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said they’d observed multiple state-sponsored hacking groups scanning the web for Fortinet devices in order to find and gain access to sensitive networks so they could launch future attacks.
FBI and CISA officials attributed these attacks to “APT actors,” a term generally used to described foreign government-backed hacking groups.
The two agencies said these APT groups are currently scanning the web for Fortinet devices that run unpatched versions of the FortiOS operating system that are vulnerable to three security flaws tracked as CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591.
The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks.The FBI and CISA
While the two agencies haven’t formally confirmed any intrusions, they are now asking Fortinet device owners to update their systems, audit admin accounts, and implement two-factor authentication, among many other recommendations — see security alert for more [PDF].
Government, commercial, and technology services networks may be at a heightened risk, according to US government officials.
APT groups previously seen exploiting Fortinet bugs include Chinese and Iranian adversaries, such as APT5 and MuddyWater respectively, although, the FBI and CISa hasn’t formally named any group yet.
CISA and FBI officials also warned about Fortinet last year
This is also the second time the FBI and CISA have released a joint security advisory on a Fortinet-related vulnerability.
They released the first on October 12, 2020, when they warned that APT actors had been seen chaining vulnerabilities in VPN products (Fortinet, Pulse Secure) together with Windows bugs (ZeroLogon) to breach and exfiltrate data government and corporate networks.
At the time, the two agencies confirmed successful attacks, some of which allowed intruders to gain “unauthorized access to elections support systems.”