Introduction
Recent findings reveal a concerning campaign targeting Fortinet FortiGate firewall devices with public-facing management interfaces. Cybersecurity experts have flagged this issue as a significant threat, highlighting unauthorized administrative logins, altered configurations, and credential extraction as key aspects of the attack. This article delves into the details of the campaign, its implications, and recommended measures to mitigate risks.
Overview of the Campaign
According to cybersecurity firm Arctic Wolf, the malicious activity began in mid-November 2024. Threat actors accessed management interfaces on FortiGate firewalls to modify configurations and extract credentials via the DCSync technique. The exact method of initial access remains unclear, but experts suspect a zero-day vulnerability exploitation due to the rapid timeline and the affected firmware versions.
Affected Devices and Firmware Versions
Devices running firmware versions 7.0.14 to 7.0.16, released between February and October 2024, were identified as vulnerable. These versions likely contained the exploited vulnerability, emphasizing the importance of regular updates and patches.
Stages of the Attack
The campaign unfolded in four phases starting November 16, 2024:
Reconnaissance and Scanning: Threat actors identified vulnerable devices by extensively using the jsconsole interface from unusual IP addresses.
Configuration Changes: Attackers altered device settings, including modifying output configurations and creating super admin accounts.
Account Compromise: Newly created super admin accounts were used to establish additional local user accounts, often added to SSL VPN groups. Existing accounts were also hijacked and repurposed.
Credential Extraction: Using SSL VPN access, adversaries extracted credentials via DCSync, enabling lateral movement across affected networks. However, their ultimate objectives remain unknown as they purged their traces before advancing further.
Characteristics of the Campaign
Arctic Wolf noted differences in tradecraft and infrastructure across incidents, suggesting multiple threat actors might be involved. A commonality in the use of the jsconsole interface indicates shared methods among attackers.
Fortinet’s Response and New Zero-Day Discovery
On January 14, 2025, Fortinet disclosed a critical authentication bypass vulnerability in FortiOS and FortiProxy, tracked as CVE-2024-55591 (CVSS score: 9.6). This flaw, which affects multiple firmware versions, allows attackers to gain super-admin privileges via crafted requests to the Node.js websocket module.
Affected Versions:
FortiOS 7.0.0 through 7.0.16 (upgrade to 7.0.17 or above)
FortiProxy 7.0.0 through 7.0.19 (upgrade to 7.0.20 or above)
FortiProxy 7.2.0 through 7.2.12 (upgrade to 7.2.13 or above)
Fortinet confirmed that attackers leveraged this vulnerability to create admin accounts, modify firewall policies, and manipulate SSL VPN user groups, consistent with Arctic Wolf’s findings.
Mitigation Strategies
Organizations should adopt the following measures to protect against similar threats:
Restrict Management Interface Access: Ensure that firewall management interfaces are not exposed to the public internet. Restrict access to trusted users and IP ranges.
Update Firmware Regularly: Upgrade to patched firmware versions as recommended by Fortinet to mitigate known vulnerabilities.
Monitor for Unusual Activity: Implement robust monitoring solutions to detect unauthorized logins, configuration changes, and suspicious IP addresses.
Strengthen VPN Security: Regularly audit SSL VPN configurations and user groups to identify unauthorized changes.
Conclusion
The campaign targeting Fortinet FortiGate devices underscores the evolving tactics of cyber adversaries. By exploiting vulnerabilities and leveraging sophisticated techniques, attackers compromise network security and extract critical credentials. Organizations must prioritize regular updates, restrict public exposure of management interfaces, and maintain vigilant monitoring to safeguard against such threats. Staying proactive and informed is essential to counteract these persistent cyber risks.
0 Comments