The FBI has published yet another cybersecurity alert, and this time, the agency is presenting the case of an APT group compromising a U.S. municipal government website hosted on a web server that was using a vulnerable Fortinet VPN. The actors moved laterally through the network and created new domain controller, server, and workstation user accounts with names that masqueraded existing ones. For what it’s worth, the FBI alert gives us the usernames “elie” and “WADGUtilityAccount,” so if you notice them in your network logs, get digging.
The vulnerabilities that the foreign APT exploited are “CVE-2018-13379”, “CVE-2020-12812”, and “CVE-2019-5591”. The first one is enabling the actors to gain access to the vulnerable devices through ports 4443, 8443, and 10443. Next, the actors enumerated devices for the other two flaws: a 2FA-bypassing bug and a sensitive information interception flaw. All three of these vulnerabilities have been addressed for a long time now, so the administration of the compromised web server was simply negligent.
In fact, the FBI and CISA have warned about the exact vulnerabilities and process of exploitation through another advisory in April 2021. It seems that system admins didn’t take note back then, and APTs continued to see quite a lot of potential targets popping up on their scanners. CVE-2018-13379, in particular, was first presented as a massively exploited bug in August 2019, when Devcore researchers presented their findings at the Black Hat conference that year.
As Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, tells us:
The list of recommended mitigations in the FBI flash alert is long, but it starts with the patching of the three flaws. Besides that, reviewing all logs regularly is key, as is the deployment of multifactor authentication where that’s possible. User accounts with admin privileges must be regularly audited, a password rotation system must be established, network segmentation must be followed, and the use of a powerful AV/security solution is also advisable. Finally, you should disable unused RDP ports, keep backups offline, and introduce strict policies to prevent software installation from users.