Zero-Day Vulnerability Targets Exposed FortiGate Firewalls: Attack Campaign Uncovered
Cybersecurity experts are raising alarms over a new campaign targeting Fortinet FortiGate firewall devices with publicly exposed management interfaces. This sophisticated attack involved unauthorized access to firewall management interfaces, the creation of new accounts, exploitation of SSL VPNs, and various configuration changes, as noted by cybersecurity firm Arctic Wolf in a recent analysis.
Campaign Timeline and Attack Progression
The malicious activity, believed to have started around mid-November 2024, saw unknown threat actors compromising the management interfaces of affected FortiGate firewalls. The attackers utilized these interfaces to modify configurations and extract sensitive credentials using DCSync, a technique typically used for lateral movement in Windows environments.
While the exact initial entry method is still unclear, cybersecurity researchers believe the attack may have been powered by a zero-day vulnerability. This assessment is based on the rapid exploitation across organizations and affected firmware versions. The targeted firmware versions of the devices ranged between 7.0.14 and 7.0.16, which were released between February and October 2024.
Attack Phases and Techniques
The attackers appeared to have followed a structured approach across four distinct phases, beginning with vulnerability scanning and reconnaissance. These early stages allowed the attackers to identify potential targets, ultimately leading to configuration changes and lateral movement.
A key distinguishing factor in these attacks was the use of the jsconsole interface, often linked to unusual IP addresses. Arctic Wolf’s researchers observed subtle variations in tradecraft, suggesting that multiple threat actors may have been involved in the campaign. However, the common use of the jsconsole interface indicates that it was central to the attacks.
Tactics, Techniques, and Procedures (TTPs)
Upon successfully gaining access, the attackers logged into the firewall management interfaces, where they modified settings such as the output configuration to enable deeper reconnaissance. By early December 2024, the attackers had created new super admin accounts, which were later used to configure up to six local user accounts per device. These user accounts were added to pre-existing groups set up by organizations for SSL VPN access.
In other instances, existing user accounts were hijacked and added to groups with SSL VPN access, allowing the attackers to establish VPN tunnels with the affected devices. All client IP addresses associated with these tunnels originated from VPS hosting providers, adding a layer of obfuscation to the attack.
Credential Extraction and Lateral Movement
The campaign culminated with attackers leveraging SSL VPN access to conduct credential extraction via DCSync, a technique commonly used to harvest credentials for lateral movement across networks. However, there is no visibility into the final objectives of the attackers, as their presence was wiped from the compromised environments before further activities could be carried out.
Mitigation and Recommendations
To defend against similar attacks, organizations should ensure their firewall management interfaces are not exposed to the public internet. Limiting access to trusted users and implementing strict access controls will significantly reduce the risk of such attacks. Arctic Wolf further emphasizes the need for organizations to monitor and manage firewall configurations carefully, especially in environments where remote access is granted.
Targeting of Multiple Organizations
The campaign’s victimology was broad, affecting organizations of various sizes and sectors. The lack of targeted behavior and the appearance of automated login/logout events suggest that the attackers were operating opportunistically rather than methodically selecting specific organizations.
Fortinet Confirms Zero-Day Vulnerability
Fortinet has confirmed a critical vulnerability, CVE-2024-55591, affecting both FortiOS and FortiProxy. This authentication bypass vulnerability, with a CVSS score of 9.6, enables remote attackers to gain super-admin privileges by exploiting crafted requests to the Node.js websocket module. The vulnerability impacts the following versions:
- FortiOS 7.0.0 to 7.0.16 (Upgrade to 7.0.17 or higher)
- FortiProxy 7.0.0 to 7.0.19 (Upgrade to 7.0.20 or higher)
- FortiProxy 7.2.0 to 7.2.12 (Upgrade to 7.2.13 or higher)
Fortinet’s advisory, released on January 14, 2025, confirms that the vulnerability has been actively exploited by unknown threat actors to hijack firewalls, create admin and local user accounts, and make firewall policy changes. These actions mirror the tactics observed by Arctic Wolf during their investigation.
No comments:
Post a Comment