Table of Contents
The advisory from the cybersecurity company follows a report from security researchers who observed exploits in the wild in early December as part of a widespread campaign.
Fortinet has confirmed the existence of a critical authentication bypass vulnerability in specific versions of FortiOS firewalls and FortiProxy secure web gateways. The flaw has been exploited in the wild since early December in what appears to be an indiscriminate and widespread campaign, according to cybersecurity firm Arctic Wolf.
The fix for this zero-day is part of a bigger patch cycle by Fortinet, which released updates for 29 vulnerabilities across multiple products, 14 of which impact FortiOS, the operating system used in Fortinet’s FortiGate firewalls. Some of the flaws impact multiple products that share the same code, which is the case for the zero-day now tracked as CVE-2024-55591.
Although Fortinet does not credit Arctic Wolf with discovering the vulnerability, the indicators of compromise listed in the advisory match the analysis of the attack campaign Arctic Wolf warned about in December and documented in more detail on Friday.
At the time Arctic Wolf said it didn’t know the initial attack vector, but its researchers strongly suspected a zero-day vulnerability was involved. After Fortinet released its advisory today, Arctic Wolf confirmed to CSO that CVE-2024-55591 is indeed the vulnerability exploited in the attacks it saw and reported to Fortinet in December.
“In early December, Arctic Wolf Labs observed a cluster of intrusions affecting Fortinet devices in the tens within a short timeframe,” the company told CSO via email. “Most of these intrusions took place within three days of each other, but the campaign extended into the following weeks as well.”
Authentication bypass in Node.js
Fortinet describes the vulnerability as an authentication bypass via an alternate path or channel. Successful exploitation of the flaw allows a remote attacker to gain superadmin privileges by sending specifically crafted requests to the Node.js websocket module. The Node.js JavaScript runtime is one of the most popular frameworks for developing JavaScript-based applications.
The vulnerability is rated critical with a CVSS score of 9.6 and impacts:
- FortiOS 7.0: versions 7.0.0 through 7.0.16;
- FortiProxy 7.0: versions 7.0.0 through 7.0.19;
- FortiProxy 7.2: versions 7.2.0 through 7.2.12.
Older branches of FortiOS such as 6.4 or newer ones such as 7.2, 7.4, and 7.6 are not impacted.
Rogue VPN accounts and credential sniffing
According to Arctic Wolf’s observations, the attackers scanned for vulnerable devices as early as Nov. 16 when multiple login events as admin were observed in the jsconsole of vulnerable devices. The jsconsole, a feature of the FortiOS web management interface, allows admins to access the command-line interface of the underlying OS via a web-based environment using JavaScript. This feature has been abused in previous Fortinet exploits, including a 2023 proof-of-concept exploit for CVE-2022-26118.
The login events observed by Arctic Wolf used spoofed source IP addresses such as the local loopback address 127.0.0.1 or the IP addresses of public DNS resolvers run by Google and Cloudflare: 1.1.1.1, 2.2.2.2, 8.8.8.8, and 8.8.4.4. Sometimes the attackers forgot to spoof their source addresses, revealing addresses associated with a virtual private server (VPS) provider.
Following this initial scan stage, which involved very short-lived login and logout events that seemed indiscriminate and targeted organizations from various sectors, the attackers returned and began making configuration changes, first by altering a setting that controls how output is displayed over multiple pages in the jsconsole and then adding new superadmin accounts following five- or six-character patterns.
These new accounts were then used to create up to six local users per device using a similar naming scheme and adding those users to existing user groups with SSL VPN access. In some cases, they hijacked existing accounts or reset the password for the guest account and added them to SSL VPN groups.
“Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly,” the Arctic Wolf researchers wrote in their report. “In addition, some threat actors assigned specific ports to their VPN portal configurations, changing them between different sessions. These ports included 4433, 59449, and 59450, among others.”
Following these malicious changes, the attackers established SSL VPN tunnels to the affected devices, connecting from IP addresses at a handful of VPS hosting providers.
Once they had VPN connections into the network, the attackers extracted credentials for lateral movement and launched a DCSync attack if they captured domain admin credentials. This attack involves using Microsoft Directory Replication Service Remote Protocol (MS-DRSR) commands to impersonate a domain controller and obtain user credentials from another legitimate domain controller.
“The intrusions we observed only represent a limited sample compared to the total actual number of devices that were likely affected, but the evidence points to an effort to exploit a large number of devices within a narrow timeframe,” Arctic Wolf told CSO.
Both the Artic Wolf reports and the Fortinet advisories include indicators of compromise. As a workaround, Fortinet suggests disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach the administrative interface via local-in policies following the steps it provided in the advisory.
