cloud-init@mail.io and cloud-noc@mail.io. Other admin accounts are created with the names: audit, backup, itadmin, secadmin, and support.
Mitigation: If these or other IOCs such as IP addresses are identified in configurations or the device logs, the system and its configuration should be considered compromised. Fortinet recommends updating the device to the latest available software release, restoring a configuration from a clean backup, and rotating all credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices.The setting “Allow administrative login using FortiCloud SSO” should be set to off, but if any third-party SSO systems are enabled they can still be abused. Administrative access should not be enabled from the Internet for network-edge devices, so Fortinet PSIRT shared a policy configuration that restricts access to the administrative interface only to specific subnets of IP addresses.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4121682/fortinet-confirms-new-zero-day-attacks-against-customer-devices.html
