APT threat exploits Fortinet OS flaws, CISA, FBI warn
- By Justin Katz
- Apr 05, 2021
Old vulnerabilities in enterprise software from Fortinet are allowing advanced persistent threat actors to gain access to government and industry networks, according to an April 2 advisory issued by the Cybersecurity and Infrastructure Security Agency and the FBI.
A joint advisory warns that by exploiting specific common vulnerabilities and exposures (CVEs), the APT actors can “gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks." The advisory cites three known CVEs in Fortinet's FortiOS that were identified in 2018, 2019 and 2020.
FortiOS is enterprise software used by major companies and governments to manage their network security.
“APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns,” the advisory warns. “APT actors may use other CVEs or common exploitation techniques -- such as spearphishing -- to gain access to critical infrastructure networks to pre-position for follow-on attacks.”
In a statement, a Fortinet spokesperson said the company previously provided patches for the vulnerabilities cited in the advisory. "If customers have not done so, we urge them to immediately implement the upgrade and mitigations," the spokesperson said.
Fortinet has customers among the Fortune 100 companies as well as government agencies including the National Oceanic and Atmospheric Administration, NASA, the IRS and the White House.
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.