Cybersecurity firm Arctic Wolf disclosed on Friday that threat actors recently targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public Internet in a suspected zero-day campaign.
According to Arctic Wolf Labs researchers, malicious activity against Fortinet firewalls began in mid-November 2024. Unknown threat actors altered firewall configurations by accessing management interfaces on affected firewalls and extracting credentials using DCSync in compromised environments.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” security researchers at Arctic Wolf wrote in a blog post published last week.
While the initial access vector used in this campaign currently remains unknown, Arctic Wolf Labs is highly confident that a zero-day vulnerability’s “mass exploitation campaign” is likely, considering the constricted timelines across affected organizations and the range of affected firmware versions.
The firmware versions ranging from 7.0.14 and 7.0.16 were predominantly affected, which were released in February 2024 and October 2024 respectively.
Arctic Wolf Labs has currently identified four separate attack phases of the campaign that targeted vulnerable FortiGate devices between November 2024 and December 2024:
Phase 1: Vulnerability scanning (November 16, 2024 to November 23, 2024)
Phase 2: Reconnaissance (November 22, 2024 to November 27, 2024)
Phase 3: SSL VPN configuration (December 4, 2024 to December 7, 2024)
Phase 4: Lateral Movement (December 16, 2024 to December 27, 2024)
In the first phase, the threat actors conducted vulnerability scans and made use of jsconsole sessions with connections to and from unusual IP addresses, such as loopback addresses (e.g., 127.0.0.1) and popular DNS resolvers including Google Public DNS and Cloudflare, making them an ideal target for threat hunting.
In the reconnaissance phase, the attackers made the first unauthorized configuration changes across several victim organizations to verify whether they had successfully obtained access to commit changes on exploited firewalls.
During the third phase of the campaign, threat actors made substantial changes to compromised devices to establish SSL VPN access.
In some intrusions, they created new super admin accounts, while in others, they hijacked existing accounts to gain SSL VPN access. Threat actors also created new SSL VPN portals where the user accounts were added directly.
In the last phase, after successfully gaining SSL VPN access within the victim organization’s environment, the threat actors used the DCSync technique to extract credentials for lateral movement.
According to the cybersecurity company, the threat actors have been removed from affected systems before they can proceed.
Artic Wolf Labs notified Fortinet about the activity observed in this campaign on December 12, 2024. FortiGuard Labs PSIRT confirmed on December 17, 2024, that it is aware of the known activity and is actively investigating the issue.
To safeguard against such known security issues, Artic Wolf Labs recommends that organizations immediately disable their firewall management access on public interfaces and limit access to trusted users.
It also advises regularly upgrading the firmware on firewall devices to the latest version to protect against known vulnerabilities.
