Cybersecurity researchers at GreyNoise have detected an alarming surge in brute-force attacks against Fortinet SSL VPN systems, with over 780 unique IP addresses launching coordinated attacks in a single day—marking the highest daily volume recorded for this type of attack in recent months.
The sophisticated campaign appears to represent a significant escalation in targeting Fortinet’s enterprise networking infrastructure, with attackers demonstrating precise knowledge of their targets rather than opportunistic scanning.
Unprecedented Attack Volume Signals Potential Vulnerability
The massive spike in malicious traffic triggered GreyNoise’s Fortinet SSL VPN Bruteforcer detection system, representing a dramatic increase from typical attack volumes.
According to GreyNoise research, such concentrated spikes in attacker activity often serve as early warning signals, with 80 percent of similar cases historically followed by the disclosure of new vulnerabilities affecting the same vendor within six weeks.
This pattern suggests the current campaign may be exploiting previously unknown weaknesses in Fortinet’s systems.
The attacks demonstrated deliberate targeting rather than broad scanning, with traffic specifically focused on FortiOS profiles.
Geographic analysis revealed that Hong Kong and Brazil emerged as the primary target countries over the past 90 days, indicating either concentrated infrastructure in these regions or specific strategic interest from threat actors.
Analysis of the attack campaign revealed two distinct operational phases. The first wave consisted of long-running brute-force activity tied to a consistent TCP signature that maintained steady levels over time.
However, beginning August 5th, researchers identified a sudden concentrated burst of traffic featuring an entirely different TCP signature, marking a clear tactical evolution.
Most significantly, the attackers demonstrated adaptability by shifting their focus from FortiOS systems to FortiManager FGFM profiles while maintaining the same underlying infrastructure.
This pivot suggests either the same threat actors expanding their targeting scope or coordinated efforts using shared toolsets.
Investigation into the attack infrastructure uncovered potential residential network origins, with one IP address resolving to a FortiGate device operating within a residential ISP block.
While this could indicate testing from home networks, researchers note it may also reflect the use of residential proxy services to obscure the true attack origins.
The campaign’s technical sophistication and targeted nature represent a significant threat to organizations relying on Fortinet SSL VPN solutions.
The attackers’ ability to rapidly pivot between different Fortinet services while maintaining persistent access attempts demonstrates advanced operational capabilities.
GreyNoise researchers recommend immediate defensive measures, including implementing dynamic IP blocking using their tagged malicious address lists and monitoring for the specific traffic signatures associated with this campaign.
Organizations should prepare for potential vulnerability disclosures in the coming weeks based on historical patterns linking attack surges to subsequent security revelations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
