Cyber security news for all

More

    Zero-Day Exploit Suspected in Aggressive Assaults on Fortinet Firewalls with Publicly Accessible Interfaces

    Cybersecurity experts are sounding the alarm on a sophisticated operation targeting Fortinet FortiGate firewall devices whose management interfaces are exposed to the public internet.

    “The campaign entailed unauthorized administrative access via these interfaces, the creation of illicit accounts, authentication to SSL VPN using those accounts, and various unauthorized configuration amendments,” Arctic Wolf disclosed in a detailed analysis last week.

    The malicious activities, traced back to mid-November 2024, appear to involve an as-yet-unidentified adversary who exploited management interfaces to alter configurations and siphon credentials using the DCSync technique.

    Although the precise method of initial entry remains elusive, investigators have a high degree of confidence that the attack exploits a previously unknown zero-day vulnerability. This conclusion stems from the rapid progression of breaches across multiple organizations and the specific firmware versions affected. Impacted firmware includes versions 7.0.14 through 7.0.16, released between February and October 2024.

    Methodical Multi-Phase Assault

    The campaign unfolded in four distinct stages, beginning around November 16, 2024, with activities ranging from vulnerability scanning and reconnaissance to configuration tampering and lateral movement.

    “What differentiates these events from legitimate firewall activities is the repeated use of the jsconsole interface, often accessed from a limited set of anomalous IP addresses,” Arctic Wolf researchers highlighted.

    Despite nuanced variations in methodology and infrastructure between different breaches, the consistent reliance on the jsconsole interface suggests a common thread, although multiple threat actors or groups may have been involved.

    Escalation to Admin Privileges

    Key among the attackers’ tactics was altering the output settings from “standard” to “more” during early reconnaissance, followed by more intrusive changes in early December 2024. These changes included creating unauthorized super admin accounts.

    These accounts facilitated the creation of additional local user accounts—up to six per device—that were integrated into existing organizational groups designated for SSL VPN access. In some instances, threat actors hijacked legitimate accounts and modified their access privileges to further their aims.

    Moreover, newly configured SSL VPN portals were deployed, with attackers directly linking user accounts to these portals. VPN tunnels established through these changes were traced back to a small group of VPS hosting providers.

    Exploitation via Credential Theft

    The operation reached its zenith when the attackers utilized their established access to execute DCSync, a technique aimed at extracting credentials to enable lateral movement within compromised networks. However, the ultimate objectives of the campaign remain obscured, as the threat actors withdrew from compromised environments before advancing further.

    Risk Mitigation Strategies

    Organizations are urged to shield their firewall management interfaces from internet exposure and restrict access to a limited group of trusted users.

    “The scope of victims in this campaign was neither confined to specific industries nor organization sizes,” Arctic Wolf noted. “The broad range of victim profiles, coupled with signs of automated login and logout sequences, underscores the opportunistic nature of these attacks rather than deliberate targeting.”

    Through proactive measures, organizations can curtail exposure to similar exploits and bolster their defensive posture against such advanced threats.

    Recent Articles

    Related Stories