Cybersecurity firm Arctic Wolf has disclosed details of an ongoing cyber campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the public internet.
FortiGate NGFW devices include a standard feature allowing administrators to access the command-line interface via the web-based management interface, providing convenient management.
Threat actors are exploiting what is strongly suspected to be a zero-day vulnerability, allowing unauthorized administrative access to modify firewall configurations, extract credentials, and move laterally within compromised environments.
While the full scope of the vulnerability is yet to be confirmed, Arctic Wolf urges organizations using FortiGate firewalls to immediately disable public management interface access and take additional security measures to mitigate potential risks.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.”
The attack appeared opportunistic, targeting no specific industry or organization type. It primarily exploited vulnerabilities in FortiGate devices running firmware versions 7.0.14 to 7.0.16, released between February and October 2024.
To conceal their activity in the jsconsole command-line interface, attackers used spoofed IP addresses, including loopback addresses (e.g., 127.0.0.1) and well-known DNS resolvers (e.g., 8.8.8.8).
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Attack Observation
The attack campaign, observed by Arctic Wolf Labs between November 2024 and December 2024, involved a phased progression of malicious activity:
Between November 16 and December 27, 2024, threat actors executed a multi-phase attack targeting vulnerable FortiGate devices.
During Phase 1 (November 16–23), they conducted vulnerability scans, exploiting the jsconsole command-line interface and often using unusual or spoofed IP addresses, such as loopback addresses (e.g., 127.0.0.1) or public DNS resolvers (e.g., 8.8.8.8).
In Phase 2 (November 22–27), attackers performed reconnaissance by making initial configuration changes to test whether they had successfully gained administrative privileges.
Phase 3 (December 4–7) involved configuring SSL VPN access, during which the attackers either created new super admin accounts or hijacked existing ones to infiltrate networks further. They also modified VPN portal settings or exploited default “guest” accounts for control.
Finally, in Phase 4 (December 16–27), leveraging administrative access, the attackers used the DCSync technique to extract credentials by exploiting domain replication, enabling deeper access to sensitive account information.
Remediation and Best Practices
Arctic Wolf emphasizes the critical importance of securing management interfaces and limiting access to trusted internal users only. Key recommendations include:
- Disable Public Management Interface Access Immediately: Ensure firewall management interfaces are inaccessible from the public internet.
- Update Firmware Regularly: Patch devices to the latest stable version to safeguard against known vulnerabilities.
- Monitor for Anomalous Activity: Look for unusual login behaviors, such as multiple short-lived admin logins or use of loopback IPs.
- Use Multifactor Authentication (MFA): Strengthen login security for administrative access.
- Conduct Threat Hunting: Investigate for signs of malicious activity, including unauthorized configuration changes or SSL VPN account setups.
Arctic Wolf has also integrated detections for this campaign into its Managed Detection and Response (MDR) platform to enhance protection for customers.
On December 12, 2024, Arctic Wolf reported the observed activities to Fortinet, whose internal PSIRT team confirmed awareness of the campaign on December 17, 2024. Fortinet is actively investigating the issue.
This campaign underscores the risks of exposing management interfaces on public networks. Organizations are urged to act swiftly to implement industry best practices, prevent further intrusions, and protect against potential vulnerabilities yet to emerge.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!