A sophisticated and automated threat campaign has emerged, raising significant concerns for organizations utilizing Fortinet security appliances. Since mid-January 2026, security analysts have been observing a distinct cluster of malicious activity involving unauthorized configuration changes on FortiGate devices, executed through compromised Single Sign-On (SSO) accounts. This developing situation involves threat actors creating generic user accounts to establish persistence, altering configurations to grant these new accounts VPN access, and systematically exfiltrating firewall configuration files. The speed and precision of these actions strongly suggest the use of automated scripts, allowing attackers to compromise systems in a matter of seconds. This campaign bears a striking resemblance to a series of attacks first detailed in December 2025, which also leveraged SSO login activity to breach administrator accounts and extract sensitive device configurations. The recurrence of this attack vector underscores the critical need for heightened vigilance and proactive security measures among network administrators.
1. Deconstructing the Attack Methodology
The initial intrusion vector in these recently observed incidents involves malicious SSO logins that appear to originate from a handful of specific hosting providers. Attackers have been observed primarily using the account [email protected] to gain unauthorized administrative access. System logs from compromised devices show clear evidence of these successful logins, with entries explicitly detailing the user, the SSO method, and the source IP address of the attack. For instance, a typical log entry would read: msg=”Administrator [email protected] logged in successfully from sso(104.28.244.115)”. What makes this activity particularly alarming is the follow-up sequence, which occurs within seconds of the initial login. This rapid execution of subsequent commands points directly to a pre-programmed, automated attack script designed for maximum efficiency, leaving little to no time for manual intervention or detection before significant damage is done. This automation allows the threat actor to quickly scale their operations across numerous vulnerable targets.
Immediately following a successful malicious SSO login, the automated attack script proceeds to exfiltrate the firewall’s entire system configuration. This is achieved through the device’s graphical user interface (GUI), with system event logs recording the action as a file download. A corresponding log entry would confirm this activity with a message like: msg=”System config file has been downloaded by user [email protected] via GUI(104.28.244.115)”. The stolen configuration file contains a wealth of sensitive information, including hashed user credentials, network topology, and security policies. With this data in hand, the threat actor then moves to establish a persistent foothold on the compromised device. This is accomplished by creating a new secondary administrator account, often with a generic name such as secadmin. This entire sequence—from initial login to data exfiltration and the creation of a persistence account—takes place in a rapid, coordinated fashion, further cementing the theory that these attacks are not manual but are instead carried out by a sophisticated, automated tool.
2. Identifying the Intrusion Footprint
To effectively identify and respond to these intrusions, it is crucial for security teams to be aware of the specific Indicators of Compromise (IOCs) associated with this campaign. The threat actors have consistently used a small set of accounts for initial access and data exfiltration, most notably [email protected] and [email protected]. Any login activity from these accounts should be treated as highly suspicious and investigated immediately. Furthermore, the malicious traffic has been traced back to a specific range of IP addresses, including 104.28.244[.]115, 104.28.212[.]114, 217.119.139[.]50, and 37.1.209[.]19. Network administrators should actively monitor their firewall logs for any incoming connections from these source IPs, as they are a strong indicator of an attempted or successful breach. Proactively blocking these IPs and auditing logs for any historical communication can provide an early warning system and help determine the scope of a potential compromise. These IOCs serve as the digital breadcrumbs that can lead investigators to uncover the full extent of the attacker’s activities within the network.
Beyond the initial access indicators, the creation of specific user accounts serves as a clear sign that a device has been compromised and that the attacker is attempting to establish long-term persistence. Security teams should conduct thorough audits of their FortiGate devices for any unauthorized administrator accounts. The attackers in this campaign have been observed creating accounts with generic, yet plausible, names that might evade a cursory glance. These include usernames such as secadmin, itadmin, support, backup, remoteadmin, and audit. The presence of any of these accounts, especially if their creation coincides with suspicious login activity, is a definitive red flag. Discovering such an account implies that the attacker has already exfiltrated the device configuration and is positioned to maintain access even if the initial SSO vulnerability is patched or the original malicious account is disabled. Immediate removal of these accounts and a full credential reset are critical steps in the remediation process to fully evict the threat actor from the environment.
3. Proactive Defense and Mitigation Strategies
Organizations must adopt a multi-faceted defense strategy to protect against these automated threats. First and foremost, it is essential to regularly check official channels from Fortinet for security advisories and product updates for all FortiGate devices. When security patches are released, they should be applied as soon as possible to close known vulnerabilities. However, patching alone may not be sufficient if a compromise has already occurred. If any activity matching the IOCs described in this campaign is observed, it must be assumed that all hashed firewall credentials stored in the exfiltrated configuration file have been compromised. Threat actors are known to crack these hashes offline, particularly if the credentials are weak or susceptible to dictionary attacks. Therefore, it is imperative to reset all firewall credentials immediately after detecting a breach. This practice should also be followed after applying a relevant security patch, as it guards against the future use of credentials that may have been stolen before the system was fully secured.
A fundamental security best practice that can significantly mitigate the risk of such attacks is to strictly limit access to the management interfaces of all network appliances. Threat actors frequently use specialized search engines to scan the internet for publicly exposed management interfaces of firewalls, VPNs, and other critical infrastructure, making them prime targets for mass exploitation campaigns. Over the last few years, numerous campaigns have specifically targeted these interfaces on devices from various vendors. To harden the security posture, organizations should configure their firewalls to restrict all management interface access to trusted, internal networks only. This simple yet highly effective measure removes the device from public visibility and dramatically reduces its attack surface, preventing automated scanners and remote attackers from ever reaching the login portal. This vendor-agnostic approach should be a standard component of any network security policy, providing a critical layer of defense against both known and future threats.
4. A Potential Workaround and Concluding Thoughts
Given that the core of this attack campaign revolves around the exploitation of SSO logins, a potential temporary workaround is available for consideration. Until Fortinet releases updated remediation guidance or a definitive patch, organizations may choose to disable the FortiCloud SSO login feature on their devices. This can be accomplished through either the GUI or the command-line interface (CLI). To turn off the feature via the GUI, navigate to System -> Settings and switch the “Allow administrative login using FortiCloud SSO” option to Off. For administrators who prefer the CLI, the same result can be achieved by entering the following commands: config system global, followed by set admin-forticloud-sso-login disable, and finally end. It is important to note that due to the evolving nature of this threat, it is not yet known if this workaround will be fully effective against the newly observed activity. It should be viewed as a temporary mitigation measure while a more permanent solution is developed and deployed.
This campaign served as a stark reminder of the persistent and evolving nature of automated cyber threats. The attackers demonstrated a high level of sophistication by leveraging SSO vulnerabilities to execute rapid, scripted attacks that involved initial access, data exfiltration, and the establishment of persistence within seconds. The investigation that followed highlighted the critical importance of a defense-in-depth strategy, which included vigilant monitoring for IOCs, timely application of security patches, and the immediate reset of potentially compromised credentials. Moreover, the incident underscored the foundational security principle of limiting the exposure of management interfaces to the public internet. Organizations that had already implemented such network hardening practices found themselves in a much stronger position to fend off these automated probes. The strategic disabling of the FortiCloud SSO feature provided a viable temporary stopgap, which offered a layer of protection while a comprehensive response was formulated.
