A web server hosting the domain for a local government in the United States was recently breached by advanced hackers taking advantage of old vulnerabilities in firewalls sold by Fortinet, according to an FBI alert published Thursday.
According to the bulletin, an advanced persistent threat group — a term that usually refers to state-backed actors — accessed the municipal government and may have set up new user accounts to access controllers, servers and active directories.
“As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government,” the alert read, referring to Fortinet’s line of firewalls, which the company sells as cloud-based software, virtual machines and physical units.
The vulnerabilities that the FBI believes allowed the APT entry to the local government in question had been disclosed by Fortinet in 2018, 2019 and 2020, with the company issuing patches at the time. But organizations are sometimes slow to install fixes, often to the advantage of malicious actors.
The FBI and the Cybersecurity and Infrastructure Security Agency issued an advisory last month warning that APT actors “are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks.”
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” that advisory went on to state.
The specific vulnerabilities mentioned in Thursday’s alert concern configurations in FortiOS, Fortinet’s proprietary operating system.
The FBI said that the APT hackers may have created a phony account on the municipal government’s systems using the account name “elie.” That account and others, the bureau warned, could give the malicious hackers access to carry out further attacks.
“Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,” the alert read.