A recent cyber campaign has been identified targeting Fortinet FortiGate firewall devices with exposed management interfaces across the public internet. This malicious activity, monitored by Arctic Wolf between November and December 2024, takes advantage of a suspected zero-day vulnerability, enabling unauthorized access and manipulation of critical network security infrastructure.
The attack unfolded in a series of phases, affecting devices operating on firmware versions 7.0.14 to 7.0.16. The campaign consisted of four distinct stages: Vulnerability Scanning, Reconnaissance, SSL VPN Configuration, and Lateral Movement.
During the initial phase, threat actors conducted vulnerability scans utilizing the jsconsole command-line interface. To obfuscate their actions, they employed unconventional or spoofed IP addresses, including loopback addresses and public DNS resolvers.
The reconnaissance phase focused on testing administrative privileges through initial configuration alterations. Subsequently, during the SSL VPN configuration phase, attackers either established new super admin accounts or took control of existing ones to escalate their network infiltration.
In the later stages of the attack, the threat actors utilized their administrative access to employ the DCSync technique, extracting credentials that provided them with deeper access to sensitive account information.
Lead threat intelligence researcher at Arctic Wolf, Stefan Hostetler, remarked on the situation, stating, “The observed pattern of activity aligns with widespread, opportunistic exploitation, as each victim organization experienced numerous malicious login events on Fortinet firewall devices.”
Although the specific vulnerability remains unconfirmed, security experts strongly lean towards categorizing it as a zero-day flaw due to the rapid sequence of attacks affecting multiple organizations and firmware versions.
The impact of this campaign has been significant, with dozens of organizations across diverse industries falling victim to the attack. Fortinet acknowledged the issue in a security advisory, acknowledging data exfiltration by threat actors, which included IP addresses, credentials, and configuration data from FortiGate devices managed by compromised FortiManager appliances.
To address this urgent threat, cybersecurity professionals are recommending organizations to take immediate measures, including disabling public management interface access, updating firmware to the latest stable versions, implementing multi-factor authentication for administrative accounts, monitoring for anomalous login activities, and conducting thorough threat hunting efforts to uncover potential compromises.
Fortinet has incorporated detections for this campaign into its Managed Detection and Response (MDR) platform to bolster protection for its clients. The company is actively investigating the matter and developing patches to address the vulnerabilities.
This incident underscores the critical need for safeguarding network management interfaces and restricting access to trusted internal users exclusively. As cyber threats evolve and become more sophisticated, organizations must stay alert and proactive in enhancing their security postures to defend against potential vulnerabilities, particularly those targeting essential network infrastructure elements like firewalls.