FBI Alert Warns About Fortinet VPN Flaws and Urges for Immediate Patching

By Bill Toulas / May 28, 2021

The FBI has published yet another cybersecurity alert, and this time, the agency is presenting the case of an APT group compromising a U.S. municipal government website hosted on a web server that was using a vulnerable Fortinet VPN. The actors moved laterally through the network and created new domain controller, server, and workstation user accounts with names that masqueraded existing ones. For what it’s worth, the FBI alert gives us the usernames “elie” and “WADGUtilityAccount,” so if you notice them in your network logs, get digging.

The vulnerabilities that the foreign APT exploited are “CVE-2018-13379”, “CVE-2020-12812”, and “CVE-2019-5591”. The first one is enabling the actors to gain access to the vulnerable devices through ports 4443, 8443, and 10443. Next, the actors enumerated devices for the other two flaws: a 2FA-bypassing bug and a sensitive information interception flaw. All three of these vulnerabilities have been addressed for a long time now, so the administration of the compromised web server was simply negligent.

In fact, the FBI and CISA have warned about the exact vulnerabilities and process of exploitation through another advisory in April 2021. It seems that system admins didn’t take note back then, and APTs continued to see quite a lot of potential targets popping up on their scanners. CVE-2018-13379, in particular, was first presented as a massively exploited bug in August 2019, when Devcore researchers presented their findings at the Black Hat conference that year.

As Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, tells us:

The critical information to note here is that all of these vulnerabilities are at least a year old at this point. That the vulnerabilities are still being exploited underscores how critical patch management is for every enterprise. All of the FBI's recommendations take a page from almost every best practice security guide available, and it's good to get a reminder because it's not just Fortinet threat actors are targeting. Using least privilege principles, performing regular updates and patching, using network segmentation, using backups, and strengthening login processes all go a long way to securing the estate. It's safe to say most criminal groups and APTs are counting on enterprises not being great at doing all of these things, and their continued success only highlights that fact.

The list of recommended mitigations in the FBI flash alert is long, but it starts with the patching of the three flaws. Besides that, reviewing all logs regularly is key, as is the deployment of multifactor authentication where that’s possible. User accounts with admin privileges must be regularly audited, a password rotation system must be established, network segmentation must be followed, and the use of a powerful AV/security solution is also advisable. Finally, you should disable unused RDP ports, keep backups offline, and introduce strict policies to prevent software installation from users.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari