A significant new cybersecurity threat has emerged, targeting Fortinet FortiGate firewall devices. Cybersecurity firm Arctic Wolf has raised an alarm over a campaign that exploits the management interfaces of these firewalls exposed on the public internet. This campaign, which began in mid-November 2024, involves unauthorized administrative logins, the creation of new accounts, SSL VPN authentication, and several configuration changes. Threat actors have been accessing the management interfaces of the firewalls, modifying configurations, and extracting credentials using a technique called DCSync, raising serious concerns about the security of critical infrastructures.
Discovery and Initial Impact
The attack ostensibly exploits a zero-day vulnerability given the rapid and widespread impact across various organizations. Although the exact method of initial access remains unknown, the high confidence assessment is based on the firm’s analysis of the timeline and the range of firmware versions targeted. Affected firmware versions span from 7.0.14 to 7.0.16, highlighting the vulnerability window from February to October 2024. The speed and scale of the attack had immediate implications on several sectors, revealing severe shortcomings in cybersecurity protocols.
The intrusion campaign follows four distinct phases since November 16, 2024. Initial activities included vulnerability scanning and reconnaissance, followed by the attackers leveraging the jsconsole interface through a few unusual IP addresses. This activity suggests potential involvement of multiple actors or groups, although jsconsole usage remained consistent. The systematic approach employed by the attackers allowed for efficient exploitation and minimal detection during the initial phases, which underscored the sophistication of their methods.
Attack Progression and Techniques
Subsequent actions involved configuration changes where attackers shifted output settings from “standard” to “more” for better reconnaissance. By early December 2024, the attackers created super admin accounts, which then led to setting up six new local user accounts per device, or hijacking existing accounts. These accounts were then added to groups with SSL VPN access, expanding the reach and control of the attackers within the affected networks. This phase demonstrated a strategic escalation aimed at solidifying their position within the compromised systems.
As detailed by Arctic Wolf, the attackers also created new SSL VPN portals and directly added user accounts to these settings. The SSL VPN tunnels established by attackers originated from a limited number of VPS hosting providers, showing a pattern of coordination and resource utilization. The careful orchestration of resources and tunnel creation indicated a high level of planning and operational security, making detection and mitigation significantly more challenging for network administrators.
Exploitation and Mitigation
This culminated in the use of extracted credentials via SSL VPN access to perform lateral movements within the targeted networks. The technique used for this purpose, known as DCSync, involved extracting sensitive data from domain controllers. However, the end goals remain unclear as the attackers purged their activities before moving to the next stage. The deliberate erasure of evidence suggests a strategic intent to cover tracks and possibly prepare for future attacks, adding another layer of complexity to the ongoing investigations.
Organizations are advised to mitigate these risks by not exposing firewall management interfaces to the public internet and limiting access to trusted users only. The campaign’s victimology was broad, affecting diverse sectors and organization sizes. This broad scope, coupled with automated login/logout events, hinted at opportunistic rather than targeted attacks. The general nature of this campaign means that defenses cannot be narrowly tailored but must be robust and comprehensive to prevent similar breaches in the future.
Fortinet’s Response and Vulnerability Details
Fortinet later confirmed the discovery of a critical authentication bypass vulnerability (CVE-2024-55591) in FortiOS and FortiProxy. This flaw has been weaponized to hijack firewalls and breach enterprise networks. The vulnerability, identified as an alternate path or channel issue (CWE-288), allows a remote attacker to gain super-admin privileges through crafted requests to the Node.js websocket module. This vulnerability has been exploited in the wild, demonstrating the urgent necessity for patches and updates to avoid further exploitation.
The flaw affects the following firmware versions: FortiOS 7.0.0 through 7.0.16 (recommended upgrade to 7.0.17 or above), FortiProxy 7.0.0 through 7.0.19 (recommended upgrade to 7.0.20 or above), and FortiProxy 7.2.0 through 7.2.12 (recommended upgrade to 7.2.13 or above). The widespread effect of this vulnerability on several firmware versions highlights the critical need for organizations to promptly upgrade their systems to the recommended versions to thwart potential cyber threats efficiently.
Coordinated Response and Recommendations
A new and significant cybersecurity threat has been identified, targeting Fortinet FortiGate firewall devices. Arctic Wolf, a cybersecurity firm, has raised the alarm about a campaign that exploits the management interfaces of these firewalls, which are exposed on the public internet. This nefarious campaign began in mid-November 2024 and involves unauthorized administrative access, the creation of new accounts, SSL VPN authentication, and several configuration changes. Threat actors have been leveraging access to the management interfaces of the firewalls to modify settings and extract credentials using a technique known as DCSync. This raises serious concerns about the security of critical infrastructures, as the ability to change firewall configurations and extract sensitive information could lead to extensive disruptions and potential breaches. Consequently, businesses and institutions using Fortinet FortiGate firewalls need to be vigilant and ensure their interfaces are securely managed to safeguard against this alarming threat.
