A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the public internet.
The attacks, observed by Arctic Wolf between November and December 2024, exploit what is believed to be a zero-day vulnerability, allowing unauthorized access and configuration changes to critical network security infrastructure.
The campaign, which affected devices running firmware versions 7.0.14 to 7.0.16, unfolded in four distinct phases:
- Vulnerability Scanning (November 16-23, 2024)
- Reconnaissance (November 22-27, 2024)
- SSL VPN Configuration (December 4-7, 2024)
- Lateral Movement (December 16-27, 2024)
During the initial phase, attackers conducted vulnerability scans, exploiting the jsconsole command-line interface. They often used unusual or spoofed IP addresses, including loopback addresses and public DNS resolvers, to mask their activities.
Reconnaissance Phases
The reconnaissance phase involved testing administrative privileges through initial configuration changes. Subsequently, in the SSL VPN configuration phase, attackers either created new super admin accounts or hijacked existing ones to infiltrate networks further.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
They also modified VPN portal settings and exploited default “guest” accounts for control.
In the final phase, leveraging their administrative access, the attackers employed the DCSync technique to extract credentials, enabling deeper access to sensitive account information.
Arctic Wolf’s lead threat intelligence researcher, Stefan Hostetler, noted, “The pattern of activity we observed was consistent with opportunistic widespread exploitation, given that each of the affected victim organizations had somewhere between hundreds to thousands of malicious login events on Fortinet firewall devices.”
While the exact vulnerability remains unconfirmed, security experts strongly suspect it to be a zero-day flaw.
The compressed timeline of attacks across multiple organizations and affected firmware versions supports this assessment.
The campaign’s impact has been significant, with at least tens of organizations affected across various industries.
Fortinet acknowledged the attacks in a security advisory, confirming that threat actors had exfiltrated sensitive data, including IP addresses, credentials, and configuration information of FortiGate devices managed by compromised FortiManager appliances.
In response to this threat, cybersecurity experts are urging organizations to take immediate action:
- Disable public management interface access for FortiGate firewalls.
- Update firmware to the latest stable versions.
- Implement multi-factor authentication for administrative access.
- Monitor for anomalous login behaviors and unauthorized configuration changes.
- Conduct thorough threat hunting to detect potential compromises.
Fortinet has integrated detections for this campaign into its Managed Detection and Response (MDR) platform to enhance protection for customers. The company is actively investigating the issue and working on developing patches.
This incident underscores the critical importance of securing network management interfaces and limiting access to trusted internal users only.
As cyber threats continue to evolve, organizations must remain vigilant and proactive in their security measures to protect against potential vulnerabilities, especially those targeting critical network infrastructure components like firewalls.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!