FBI & CISA: APT Actors Exploit Vulnerabilities to Gain Access for Future Attacks


In March of 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) were alerted to Advanced Persistent Threat (APT) actors scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379, and numerous devices for CVE-2020-12812 and CVE-2019-5591.

Historically, APT actors have leveraged critical vulnerabilities to perform distributed denial-of-service (DDoS) attacks, spearphishing campaigns, website defacements, disinformation campaigns, and structured query language (SQL) injection attacks. It is highly probable that these APT actors are attempting to exploit these vulnerabilities to gain access to government, commercial, and technology services networks.


The FBI and CISA have evidence indicating these APT actors are using multiple CVEs to exploit Fortinet FortiOS vulnerabilities so they can infiltrate government, commercial, and technology service networks. The FBI and CISA believe that APT actors may be using CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591 to exploit Fortinet FortiOS vulnerabilities. 

Using these CVEs, APT actors may be attempting to infiltrate networks in multiple critical infrastructures to gain the access necessary for subsequent data exfiltration and data encryption attacks. APT actors may use other CVEs or common exploitation techniques like spearphishing to gain sufficient access for planned attacks.


We recommend companies and organizations do the following:

  • Patch CVEs 2018-13379, 2020-12812, and 2019-5591 immediately.
  • If your organization does not use FortiOS, add FortiOS key artifact files to your organization’s execution deny list. Attempts to install or execute this program and any associated files should be prevented.
  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are unable to be modified or deleted from the primary data retention system.
  • Implement network segmentation.
  • Require administrator credentials to install the software.
  • Implement a recovery plan to restore sensitive or proprietary data from a physically separate,
    segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches
    are released.
  • Use multi-factor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords
    for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote
    access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least
    privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security
    principles and techniques, particularly on recognizing and avoiding phishing emails.


For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact Breadcrumb. This report originally appeared here.

Breadcrumb Cybersecurity helps organizations protect their infrastructure, critical data, and reputation from today’s advanced cyber threats. Based in California, Breadcrumb offers comprehensive cybersecurity services for organizations throughout the U.S. Our services include regulatory compliance, risk assessments, digital forensics, penetration testing, incident response, technical/staff training, 24/7 security operations, and on-going advisory services.
Breadcrumb uses cookies and other tracking technologies to offer you a better browsing experience, analyze our website, and assist with our promotional and marketing efforts. If you continue browsing, you are agreeing to the use of cookies. To learn more about our cookie use, see our Privacy Policy for more details.