APT threat exploits Fortinet OS flaws, CISA, FBI warn

Old vulnerabilities in enterprise software from Fortinet are allowing advanced persistent threat actors to gain access to government and industry networks,  according to an April 2 advisory issued by the Cybersecurity and Infrastructure Security Agency and the FBI.

A joint advisory warns that by exploiting specific common vulnerabilities and exposures (CVEs), the APT actors can “gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks." The advisory cites three known CVEs in Fortinet's FortiOS that were identified in 20182019 and 2020.

FortiOS is enterprise software used by major companies and governments to manage their network security.

 “APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns,” the advisory warns. “APT actors may use other CVEs or common exploitation techniques -- such as spearphishing -- to gain access to critical infrastructure networks to pre-position for follow-on attacks.”

In a statement, a Fortinet spokesperson said the company previously provided patches for the vulnerabilities cited in the advisory. "If customers have not done so, we urge them to immediately implement the upgrade and mitigations," the spokesperson said.

Fortinet has customers among the Fortune 100 companies as well as government agencies including the National Oceanic and Atmospheric Administration, NASA, the IRS and the White House.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


Featured

  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected