Fortinet firewalls mass exploited, possible zero-day may be involved

Fortinet firewalls mass exploited, possible zero-day may be involved

Arctic Wolf Labs discovered a malicious campaign targeting Fortinet FortiGate firewall devices. The campaign, which has been ongoing since early December, involves unauthorized administrative access to the management interfaces of firewalls, creating new accounts, altering configurations, and exploiting VPN services.

The compromised FortiGate devices, which were exposed to the public internet, had their management interfaces accessed by attackers who made significant changes to the firewall configurations, including the creation of new accounts that then were used to authenticate via SSL VPN. Furthermore, attackers were observed performing lateral movement within affected environments, including the extraction of sensitive credentials through DCSync.

While the exact initial access vector remains unconfirmed, Arctic Wolf Labs suspects the exploitation of a zero-day vulnerability, given the speed and scale of the attack, and the specific versions of firmware affected. The targeted firmware versions range from 7.0.14 to 7.0.16, which were released between February and October 2024.

In December 2023, Synacktiv detailed a privilege escalation vulnerability (CVE-2022-26118) that could be exploited to create backdoor users on FortiGate firewalls. The report described a proof-of-concept bash session demonstrating how attackers could exploit the vulnerability to invoke the newcli utility, adding unauthorized users with administrative privileges.

The session specifically pointed to the –userfrom switch, which allows a source IP to be specified as a loopback interface, a feature that could enable attackers to manipulate firewalls remotely.

While there is no direct evidence that this method was employed in the current campaign, Arctic Wolf Labs observed patterns in the attack behavior that closely resemble the actions described in the proof-of-concept.

The researchers said they observed four phases of the campaign vulnerability scanning, reconnaissance, SSL VPN configuration and lateral movement.

“What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses. Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board,” the researchers said.

Fortinet released a security advisory on Tuesday, detailing an authentication bypass vulnerability (CVE-2024-55591) affecting its FortiOS and FortiProxy products. The flaw can be used by a remote attacker to gain super-admin privileges on the system. The advisory also includes Indicators of Compromise (IoCs) related to the attack campaign as well as a workaround to mitigate the threat. This includes disabling HTTP/HTTPS administrative interface or limiting IP addresses that can reach the administrative interface via local-in policies.

Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025