According to the FBI, a new APT group recently attacked the web server of a U.S. municipal government. After gaining access to the local government organization's server, the group managed to move laterally across the network.
What has happened?
The group exploited a Fortigate appliance to access a web server and created a new domain controller, server, and workstation user accounts imitating the existing ones.
- The FBI observed that the attackers created WADGUtilityAccount and ‘elie’ accounts on targeted systems for collecting and exfiltrating data.
- The APT group is not targeting any specific sector, but aiming at a wide range of victims in multiple sectors, hinting that the activity is aimed at exploiting vulnerabilities in commercial products.
- In addition, the APT group has used several tools such as Mimikatz, MinerGate, WinPEAS, SharpWMI, BitLocker, WinRAR, and FileZilla for serving various objectives or tasks.
Previous attacks
Attackers have been targeting vulnerabilities in various commercial products from Fortinet for some time.
- The FBI and the CISA warned a month ago about state-sponsored hacking groups gaining access to Fortinet appliances by abusing CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379 vulnerabilities.
- Additionally, it was found that threat actors are scanning for vulnerable devices with CVE-2018-13379 on ports 8443, 4443, and 10443.
- After they breach or gain access to the vulnerable Fortinet server, these state-sponsored hacking groups will use them in future attacks aimed at networks across critical infrastructure sectors.
Conclusion
The FBI has been continuously issuing warnings against state-sponsored APT groups exploiting vulnerabilities in Fortinet and other enterprise products for several months. In addition to the immediate patching of exploitable vulnerabilities, the FBI suggested organizations to frequently review domain controllers, servers, and workstations for new user accounts. These warnings must be taken seriously and immediate action should be taken.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1136_shutterstock_680075101.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/600a_shutterstock_1291914373.jpg)
