The U.S. Federal Bureau of Investigation today issued a flash alert warning that so-called advanced persistent threat actors are exploiting vulnerabilities in cybersecurity appliances from Fortinet Inc.

According to the FBI, an APT group — APT groups are typically state-sponsored — has exploited a Fortinet appliance to access a web server hosting the domain of a U.S. municipal government. The alert notes that the APT actors likely created an account with the username “elie” to enable further malicious activity on the network.

The flash alert warns that the access can be leveraged to conduct data exfiltration, data encryption and other malicious activities. The FBI also warns that APT actors are actively targeting a broad range of victims across multiple sectors, indicating that the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.

The new flash alert comes after the FBI warned that hackers were actively targeting FortiOS vulnerabilities in early April.

“The FBI issued their second alert regarding multiple flaws in Fortinet’s FortiGate SSL VPN being exploited in the wild, and the first was published over a month ago,” Tyler Shields, chief marketing officer at asset management and governance solutions firm JupiterOne Inc., told SiliconANGLE. “However, multiple U.S. government agencies, including the FBI, the NSA and CISA, have published several alerts over the last few years highlighting the use of CVE-2018-13379, a critical flaw in the SSL VPN, by APT groups that was patched two years ago.”

The fact that there are still legacy vulnerabilities being exploited in spite of these alerts is a cautionary tale that unpatched flaws remain a valuable tool for APT groups and cybercriminals in general, Shield added. “The risk is further heightened by the broad shift of the workforce over the past year,” he said. “Unpatched vulnerabilities, not zero-days, are the biggest threat to most organizations today because it gets attackers to their end goal in the fastest and cheapest way.”

Dirk Schrader, global vice president, security research at cybersecurity and compliance software company New Net Technologies Ltd., noted that quite often, the only sophistication APT groups need to have is patience and a good search capability. “The rest is done by the victims,”he said. “The cybersecurity essentials, critical controls as recommended by many, are there to break the cyber kill chain. Do it, secure and harden your assets, detect any malicious change to them, be aware of your critical devices, make it harder for the APTs to get you.”

Image: Fortinet