Hackers Use Old Fortinet Flaws To Hit Gov’t, Tech Networks: FBI

‘APT actors are scanning for vulnerabilities with Fortinet FortiOS to gain access to multiple government, commercial, and technology services networks,’ says the Cybersecurity and Infrastructure Security Agency.

Sophisticated hackers are actively exploiting three known Fortinet FortiOS vulnerabilities to gain access to government, commercial, and technology services networks, federal officials warned Friday.

Gaining initial access to Fortinet FortiOS pre-positions the Advanced Persistent Threat (APT) groups to conduct future data exfiltration or data encryption attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) cautioned in a joint cybersecurity advisory. Federal officials said the malicious behavior was spotted in March, and didn’t specify which APT group or groups are exploiting the flaws.

“APT actors are scanning for vulnerabilities with Fortinet FortiOS to gain access to multiple government, commercial, and technology services networks,” CISA tweeted at 12:42 p.m. ET Friday.

[Related: Feds: SolarWinds Attack ‘Poses a Grave Risk’ To Government, Business]

The hackers may be using any or all of the Fortinet FortiOS vulnerabilities to gain access to networks across multiple critical infrastructure sectors, CISA and the FBI said. APT groups have historically exploited critical vulnerabilities to conduct DDoS attacks, ransomware attacks, SQL injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns, federal officials said.

“The security of our customers is our first priority,” a spokesperson for Sunnyvale, Calif.-based Fortinet told CRN in a statement. “If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”

The FBI and CISA said that hackers have been scanning devices on three ports for a Fortinet FortiOS vulnerability that allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. Fortinet issued a fix for this vulnerability in May 2019.

The APT actors also took advantage of a FortiOS vulnerability that allows an unauthenticated attacker to intercept sensitive information by impersonating the LDAP server, as well as an improper authentication vulnerability that results in users being able to log in successfully without being prompted for the second factor of authentication. Fortinet issued fixes for these flaws in July 2019 and July 2020, respectively.

The fact that the FBI and CISA needed to issue a cybersecurity advisory means that some organizations still haven’t applied the patches Fortinet made available a year or two ago. Hackers may also take advantage of other vulnerabilities or common exploitation techniques like spearphishing to gain access to critical infrastructure networks to pre-position for follow-on attacks, federal officials stated.

Fortinet‘s flagship FortiOS operating system has been around for a number of years, and is used by federal departments and large enterprises to manage their networks. The Fortinet advisory comes seven months after the FBI and CISA in September publicized a Chinese Ministry of State Security-affiliated operation that allegedly exploited software made by F5 Networks, Citrix, Pulse Secure, and Microsoft.