Older Fortinet Vulnerabilities Lead to Attack on Local Government Office
The vulnerability exploitation comes as no surprise to one cybersecurity expert.
Shutterstock
Dirk Schrader is global vice president of security research at New Net Technologies (NNT).
“Is anyone surprised about APT groups exploiting month- or year-old vulnerabilities in infrastructure devices successfully, even in a municipal government network?” he said. “That they haven’t been patched by now? Quite often the only ‘sophistication’ those APT groups need to have is patience and a good search capability. The rest is done by the victims. The cybersecurity essentials, critical controls as recommended by many, are there to break the cyber kill chain. Do it, secure and harden your assets, detect any malicious change to them, be aware of your critical devices [and] make it harder for the APTs to get you.”
It’s important to note that all of these vulnerabilities are at least a year old, said Sean Nikkel. He’s senior cyber threat intel analyst at Digital Shadows.
“All of the FBI’s recommendations take a page from almost every best practice security guide available,” he said. “And it’s good to get a reminder because it’s not just Fortinet that threat actors are targeting. Using least-privilege principles, performing regular updates and patching, using network segmentation, using backups and strengthening login processes all go a long way to securing the estate. It’s safe to say most criminal groups and APTs are counting on enterprises not being great at doing all of these things, and their continued success only highlights that fact.”
This week, the Department of Homeland Security (DHS) announced plans to begin regulating the pipeline industry in response to the Colonial Pipeline ransomware attack.
A number of cybersecurity industry execs have criticized DHS’ action. James Reynolds, SecureAge‘s chief product officer, is among them.
“It doesn’t surprise me that the U.S. government is issuing directives after an event that affected tens of millions of people,” he said. “However, it is a disappointing surprise to learn how extremely little this first directive will make toward any improvements. It also surprises me that the directive is only targeted for pipeline companies. It should be directed toward all critical infrastructure companies and be unified across all sectors.”
The new security directive will require pipeline industry companies to report cyber incidents to the Transportation Security Administration (TSA) and the CISA. They also must have a cyber official with a 24/7 direct line to TSA and CISA to report an attack.
In addition, companies have to assess the security of their systems as measured against existing cyber guidelines. Until now, fixing any gaps has been voluntary.
Moreover, companies must correct any problems and address shortcomings or face financial penalties.
Reynolds said the new requirements aren’t significant enough.
“Having a direct line to TSA and CISA is basically the equivalent to ‘give me your cell number,'” he said. ” This is just common sense and should have been done years ago. This won’t improve on detection, mitigation or, even more fundamentally, on encryption of sensitive data. Putting it as a directive just creates a formality in accountability and apply financial (and perhaps criminal) repercussions if they don’t comply.”
Reynolds also said the new requirements won’t effectively protect the pipeline industry.
“Having the pipeline industry monitor the network connections is just one small thing that they should be doing to detect breaches,” he said. “They need to have a prevention plan in place and use tools that prevent changes to the critical systems in the first place.”
New WhiteHat Security research shows 67% of utility applications have at least one serious exploitable vulnerability open throughout the year.
The research examined window of exposure (WoE), which is the time between when a vulnerability is disclosed and a patch is available. WoE has decreased in both manufacturing and health care, while WoE in utilities has increased. That makes utilities the second most vulnerable behind public administration.
Setu Kulkarni is WhiteHat’s vice president of corporate strategy and business development.
“While we see the WoE data getting better for health care and financial applications, the overall state of affairs is concerning, with the average WoE for applications across all industries still remaining in the 40%-50% range, meaning 40%-50% of the applications we use have exploitable vulnerabilities,” he said.
Application security vulnerabilities can cause serious reputational, financial, compliance and operational risk to an organization, Kulkarni said. That can result in a decline in the quality of service or product they deliver to their end customers.
While there are impacts to the organization when an application is breached by threat actors, there’s almost always customer/user data at risk.
“While the recent Colonial Pipeline cyberattack was a ransomware attack, its repercussions are an example of the risks that exist with vulnerable applications as well,” he said.
Moving forward, organizations need to reduce the risk of being breached via web, mobile and API applications that are running in production serving their clients, Kulkarni said.
“To do this, we suggest that organizations start by securing their critical applications by testing them for vulnerabilities in production where the actual risk of being breached is maximum,” he said. “Once the vulnerabilities on critical systems are known, organizations should immediately mitigate the severe vulnerabilities. This program of testing applications in production and mitigating vulnerabilities in a risk-based manner should then be extended to the next tier of important applications until the entire inventory of applications is covered.”
Organizations should also look at the most prevalent vulnerability types in their application landscape and deploy targeted training programs to help their software teams identify and fix these vulnerabilities quickly and in many cases proactively, Kulkarni said.
Application security startup ArmorCode has launched its channel and integration partner program to deliver its platform to enterprises globally.
ArmorCode’s platform integrates with more than 60 security products and collaboration platforms. A new technical integration with ShiftLeft, a code security platform for developers, will help enterprises benefit from both companies.
Nikhil Gupta is ArmoCode’s co-founder and CEO.
“ArmorCode is engaged with over a dozen Fortune 500 companies,” he said. “And ArmorCode is simplifying the biggest challenge the application security team [has]. Application security is painful and not scalable. Large customers look for solutions and not products, and thus ArmorCode decided to launch this new partner program to solve enterprise customer needs.”
ArmorCode is targeting technology partners and channel partners (MSSPs, VARs/resellers and security consulting companies), Gupta said.
“We are a very partner-focused company, and we spoke and took inputs from … leaders on how we can together best help the customers,” he said. “One of the examples is that even though we have our own relationship with the large customers, we asked our end customer which partner they would prefer to buy through. We also discussed with the partners our go-to-market (GTM) strategy.”
Security is all about distribution, Gupta said. ArmorCode will gain a competitive advantage as its reach will increase tenfold.
“A comprehensive platform such as ArmorCode gives a big competitive advantage to our partners as they can build several innovative services to sell to their customers,” he said. “ArmorCode also will help partners upsell the other security tools that they sell today. For example, ArmorCode provides a comprehensive visibility of the number of applications their end customers have in their environment. As a result, a partner can go and sell new tools for the applications they were not aware of.”
Relativity, a global legal and compliance technology company, has acquired Text IQ, which applies artificial intelligence (AI) to identify sensitive data.
The combination will enable law firms, enterprises and service providers to identify and manage sensitive and privileged data in an integrated suite. The terms of the deal weren’t disclosed.
Mike Gamson is Relativity’s CEO.
“We expect that most of the industry will experience Text IQ through a law firm or service provider (partners), very much like how most of the industry experiences Relativity today,” he said. “We plan to train and enable our partners to deliver any services associated with Text IQ. Once our technologies are integrated, our partners will have access to advanced techniques including deep learning, social network analysis (SNA), natural language processing (NLP), and self-supervised and unsupervised machine learning (ML). This process had already been initiated by Text IQ, with ProSearch, a RelativityOne certified partner, becoming certified to run the technology, and with several law firm partners who have developed workflows around Text IQ’s technology.”
As many of Text IQ’s customers and partners use their technology in conjunction with Relativity, the acquisition will benefit them from a tighter integration between the two platforms, Gamson said. That will result in faster speed to insights and a more secure exchange of data.
“Text IQ certainly gives Relativity and our partners a competitive advantage, which is one of the reasons we acquired them,” he said. “Text IQ has a team of around 70 employees and more than 30 engineers – half of whom have advanced degrees in AI/ML – who are focused on solving the complex challenges associated with unstructured data through their deep AI expertise. Text IQ’s products backed by this team of experts will help our partners solve new problems for their customers. They’re the industry leaders in using AI to automate privilege review, helping our partners solve a problem that is manual, expensive and error prone. Text IQ’s technology is also adept at identifying personally identifiable information (PII) and protected health information (PHI) in ways that regular expressions and keyword search often miss. These capabilities drive powerful data breach response and data subject access requests (DSARs) solutions.”
Relativity, a global legal and compliance technology company, has acquired Text IQ, which applies artificial intelligence (AI) to identify sensitive data.
The combination will enable law firms, enterprises and service providers to identify and manage sensitive and privileged data in an integrated suite. The terms of the deal weren’t disclosed.
Mike Gamson is Relativity’s CEO.
“We expect that most of the industry will experience Text IQ through a law firm or service provider (partners), very much like how most of the industry experiences Relativity today,” he said. “We plan to train and enable our partners to deliver any services associated with Text IQ. Once our technologies are integrated, our partners will have access to advanced techniques including deep learning, social network analysis (SNA), natural language processing (NLP), and self-supervised and unsupervised machine learning (ML). This process had already been initiated by Text IQ, with ProSearch, a RelativityOne certified partner, becoming certified to run the technology, and with several law firm partners who have developed workflows around Text IQ’s technology.”
As many of Text IQ’s customers and partners use their technology in conjunction with Relativity, the acquisition will benefit them from a tighter integration between the two platforms, Gamson said. That will result in faster speed to insights and a more secure exchange of data.
“Text IQ certainly gives Relativity and our partners a competitive advantage, which is one of the reasons we acquired them,” he said. “Text IQ has a team of around 70 employees and more than 30 engineers – half of whom have advanced degrees in AI/ML – who are focused on solving the complex challenges associated with unstructured data through their deep AI expertise. Text IQ’s products backed by this team of experts will help our partners solve new problems for their customers. They’re the industry leaders in using AI to automate privilege review, helping our partners solve a problem that is manual, expensive and error prone. Text IQ’s technology is also adept at identifying personally identifiable information (PII) and protected health information (PHI) in ways that regular expressions and keyword search often miss. These capabilities drive powerful data breach response and data subject access requests (DSARs) solutions.”
A new FBI warning on older Fortinet vulnerabilities shows cybercriminals continue to have an advantage when organizations delay installing patches.
An advanced persistent threat (APT) actor group recently breached a local government by exploiting older Fortinet vulnerabilities. The group “almost certainly” exploited a Fortigate appliance to access a web server hosting the local government’s domain. The FBI isn’t identifying the local government.
The APT actors likely created an account with the username “elie” to further enable malicious activity on the network. Last month, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APT actors had gained access to devices on ports 4443, 8443 and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020-12812 and FortiOS CVE-2019-5591.
What the Actors Can Do
The APT actors can do data exfiltration, data encryption or other malicious activity. They are actively targeting a broad range of victims across multiple sectors. That indicates the activity is focused on exploiting vulnerabilities rather than targeting specific sectors.
Moreover, they may have established new user accounts on domain controllers, servers, workstations and active directories, according to the FBI. Some of these accounts appear to mimic other existing accounts on the network, so specific account names may vary per organization.
In addition to unrecognized user accounts or accounts masquerading as existing accounts, the account usernames “elie” and “WADGUtilityAccount” may be associated with this activity.
Fortinet sent us the following statement:
“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a product security incident response team (PSIRT) advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”
More Targeted Infiltrations Likely
Tyler Shields, JupiterOne‘s CMO, said this is a “target of opportunity” style of attack exploiting Fortinet vulnerabilities, for now.
JuipiterOne’s Tyler Shields
“Issues in infrastructure-related technologies lend themselves to a long tail of exploitability due to the difficulties in finding and updating these types of systems,” he said. “This is the type of thing that will linger for quite some time. Now that the attack and exploit has been made public, there is a good chance you will begin to see more targeted infiltrations.”
Scroll through our gallery above for more on the FBI warning and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like