Advanced hackers are exploiting old flaws in popular enterprise software made by Fortinet in a possible attempt to access networks in multiple critical infrastructure sectors, the FBI and Department of Homeland Security warned on Friday.
“Advanced persistent threat” actors — a term that usually refers to state-linked groups — are likely using the software flaws to breach “multiple government, commercial, and technology services networks,” states the advisory from the FBI and DHS’s Cybersecurity and Infrastructure Security Agency.
The agencies said that the attackers, whom they did not identify, could be using the bugs in Fortinet software to access “key networks as pre-positioning for follow-on data exfiltration or data encryption attacks.”
The three vulnerabilities are in FortiOS, security software that government agencies and big corporations use to manage their networks. Hackers could exploit the bugs to intercept sensitive data on networks. Fortinet disclosed the vulnerabilities in 2018, 2019 and 2020 and issued fixes for them. That the bugs continue to be useful to hackers points to the fact that some organizations still have not updated their software.
The FBI and CISA advised organizations that haven’t applied the software patches to do so immediately.
“The security of our customers is our first priority,” California-based Fortinet, which is a popular U.S. government contractor, said in a statement. The company said it promptly issued fixes for the vulnerabilities when they were discovered, and urged customers that hadn’t applied them to do so.
The advisory is part of a recurring effort by U.S. government officials to warn companies of ongoing hacking operations based on popular software. The FBI and CISA in September publicized a suspected Chinese intelligence operation that allegedly exploited software made by F5 Networks and Citrix, among other vendors.