Connect with us

Cyber Crime

Fortinet Under Cyber Attack: Zero-Day Vulnerability Suspected in FortiGate Firewalls

Published

on

Cybersecurity experts are raising alarms about a new campaign targeting Fortinet FortiGate firewall devices, specifically those with exposed management interfaces on the public internet.

The campaign involves unauthorized administrative logins to firewall management interfaces, followed by the creation of new accounts, SSL VPN authentication via those accounts, and various configuration modifications.

Arctic Wolf, a cybersecurity firm, published an analysis last week detailing the malicious activity, which appears to have started in mid-November 2024. Threat actors exploited vulnerabilities in FortiGate devices to alter configurations and extract credentials using DCSync.

Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime

While the precise initial access method remains unknown, experts believe the attack was likely driven by a zero-day vulnerability, given the rapid timeline of the incidents and the affected firmware versions.

The impacted devices were running firmware versions between 7.0.14 and 7.0.16, released in February and October 2024, respectively.

The campaign unfolded in four distinct phases, beginning around November 16, 2024. The attackers progressed from scanning for vulnerabilities and conducting reconnaissance to making configuration changes and moving laterally within the network.

One notable feature of the attack was the extensive use of the jsconsole interface from several unusual IP addresses, which stood out from legitimate firewall activities.

The attackers logged into firewall management interfaces and made initial reconnaissance changes, such as modifying the output setting from “standard” to “more.”

By early December 2024, they had created new super admin accounts, which were then used to add as many as six new local user accounts per device, assigning them to existing groups for SSL VPN access. In some cases, attackers hijacked existing accounts and added them to VPN-accessible groups.

Additionally, new SSL VPN portals were created, and user accounts were directly added to them. The attackers then established SSL VPN tunnels to the compromised devices, with client IP addresses originating from a few VPS hosting providers.

Nominations for FCRF Excellence Awards in FutureCrime Summit 2025

The campaign culminated in the use of SSL VPN access to extract credentials for lateral movement via DCSync, although the attackers’ final goals remain unclear, as they purged their presence from the compromised environments before progressing further.

To mitigate such risks, organizations are advised to avoid exposing their firewall management interfaces to the internet and restrict access to trusted users.

The campaign’s victimology appears to be opportunistic, with no specific sector or organization size targeted. The automated nature of the login/logout events suggests the attackers cast a wide net rather than focusing on particular organizations.

In related news, Fortinet has confirmed the existence of a critical authentication bypass vulnerability (CVE-2024-55591, CVSS score: 9.6) in FortiOS and FortiProxy.

This flaw, which affects versions 7.0.0 through 7.0.16 of FortiOS and 7.0.0 through 7.0.19 of FortiProxy, allows attackers to bypass authentication and gain super-admin privileges via crafted requests to the Node.js websocket module. Fortinet has issued an advisory urging users to upgrade to FortiOS 7.0.17 or later and FortiProxy 7.0.20 or later to address the vulnerability.

The flaw has been actively exploited by threat actors to create admin and local user accounts, configure user groups, and modify firewall policies, mirroring the findings of Arctic Wolf’s investigation.

Follow The420.in on

 TelegramFacebookTwitterLinkedInInstagram and YouTube

Continue Reading