A recent string of cyberattacks on Fortinet FortiGate firewall devices with exposed management interfaces on the public Internet has raised concerns about a potential zero-day flaw being exploited by threat actors. Researchers at Arctic Wolf have been monitoring the attacks since early December, noting unauthorized logins, configuration alterations, and SSL VPN authentication by the attackers.
According to a recent blog post by Arctic Wolf, the threat actors targeted FortiGate devices with firmware versions ranging from 7.0.14 to 7.0.16, gaining access to management interfaces and making configuration changes. Additionally, attackers were seen using DCSync to extract credentials in compromised environments. Arctic Wolf released a security bulletin in December and later revealed more details in the blog post, suggesting a zero-day flaw may be at play.
Despite no definitive confirmation of the zero-day flaw, the compressed timeline of the attacks and the affected firmware versions suggest an undisclosed vulnerability may be used by the attackers. The victims of these attacks varied in sector and organization size, indicating an opportunistic rather than targeted approach by the threat actors.
The researchers identified a suspicious pattern of activity on the affected devices, specifically noting the extensive use of the jsconsole interface from unusual IP addresses. This behavior, while not directly confirmed as part of the attacks, aligns with the observed malicious actions on the devices. The researchers also highlighted that multiple individuals or groups may be involved in the campaign, but the use of jsconsole was consistent across the incidents.
The campaign was divided into four phases by the researchers, starting with vulnerability scanning in mid-November, reconnaissance in late November, SSL VPN configuration in early December, and lateral movement in late December. The researchers noted that the campaign is still ongoing, with the possibility of further activity in the future. The attackers’ use of jsconsole logins from anomalous IP addresses was prevalent across the phases, with short-lived sessions and multiple logins within a single second.
To protect against similar attacks, organizations are advised to avoid exposing Fortinet device management interfaces on the public Internet. By limiting access to trusted internal users, the attack surface available to threat actors can be reduced. Regular firmware updates and syslog monitoring for firewall devices are recommended best practices to patch vulnerabilities and detect malicious activity early.
In conclusion, the recent cyberattacks on Fortinet FortiGate devices highlight the importance of cybersecurity best practices and vigilance in protecting sensitive network infrastructure from evolving threats. Organizations must remain proactive in securing their systems and monitoring for any suspicious activity to prevent unauthorized access and data breaches.