Search This Blog

Showing posts with label Fortinet. Show all posts

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 

Threat Actors are Using YouTube to Lure Users into their Trap

 

Fortinet security researcher ‘accidentally discovered a unique way of tricking YouTube users. Due to Covid-19, as well as the recent surge in the value of the stock market and cryptocurrencies, more people than ever are at home looking for livestock market/crypto-related content on streaming platforms like YouTube, etc. This might be to compensate for the lack of in-person interactions that we would normally have in a non-Covid-19 world, as well as to perhaps make some quick income on the side. During a random midnight search for similar content, the researcher accidentally stumbled upon a LIVE Bitcoin scam on YouTube (yes, this time it was on YouTube and not on Twitter). 

YouTube has various labels/buttons on its home page to identify trending categories of videos, and this one indicated that several scams were streaming “live”. The first video researcher saw after clicking the Live button was titled, “Chamath Palihapitiya - What will be the New World of Finance? | SPACs, Coinbase IPO and NFT” with the URL link “hxxps://www[.]youtube[.]com/watch=cFstoyKl99s”. 

The next thing the researcher noticed was the video’s caption message, “Our mission is to advance humanity by solving the world’s hardest problems. We want to thank our supporters and also help crypto mass adoption, so 1000 BTC will be distributed among everyone who takes part in the event. You can find all the information on the website.” And also, unlike most content creators, the website link “More info: cham-event[.]com” did not include any video descriptions.

Another red flag was that while this YouTube channel had 252k subscribers, there was only ONE video on the channel. This could either be a case of a hacked YouTube channel that had all previous videos deleted, OR it could be that the malicious attacker somehow found a way to add fake subscribers to his/her channel. 

Earlier this month, hackers associated with these scams escalated their activity when they compromised two YouTube channels that maintain over eight million subscribers. In this particular case, the hackers modified these channels to impersonate our brand, using the Gemini name and logo. In light of these ongoing events, we want to share how these attacks work, discuss Gemini’s ongoing actions to protect our customers and provide some tips for YouTube channel owners to better secure. 

NCSC Warns of Exploited VPN Servers: Here are the Safety Tips to Fix Your VPN

 

The UK’s Nationwide Cyber Safety Centre (NCSC) has published a new advisory warning that cybercriminals as well as Advanced Persistent Threat (APT) actors are actively searching for unpatched VPN servers and trying to exploit the CVE-2018-13379 susceptibility.

According to NCSC, a significant number of organizations in the UK have not fixed a Fortinet VPN vulnerability found in May 2019, resulting in the credentials of 50,000 vulnerable VPNs being stolen and revealed on a hacker forum. As such, the NCSC recommended organizations that are using such devices to assume they are now compromised and to start incident management procedures, where security updates have not been downloaded.

“The NCSC is advising organizations which are using Fortinet VPN devices where security updates have not been installed, to assume they are now compromised and to begin incident management procedures. Users of all Fortinet VPN devices should check whether the 2019 updates have been installed. If not, the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured, and then returned to service,” NCSC stated.

Safety tips for users & organizations 

The first step is to check whether the 2019 update is installed on all Fortinet VPN devices or not. If not, the NCSC recommends installing it as soon as possible. Secondly, the corrupt devices should be removed from service, returned to a factory default, reconfigured, and then restored to service. 

While fixing the security loophole, organizations should examine all connected hosts and networks to detect any further attacker movement and activities. Anomalous connections in access logs for the SSL VPN service may also indicate the use of compromised credentials. Organizations should then make it a high priority to upgrade to the latest FortiOS versions to prevent reinfection. 

"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.