Zero-Day Vulnerability: Fortinet FortiGate Firewalls Compromised
Threat hunters have identified a new campaign targeting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” cybersecurity firm Arctic Wolf said in an analysis published last week.
The malicious activity is believed to have been carried out by hosting providers.
The campaign culminated with the adversaries leveraging the SSL VPN access to extract credentials for lateral movement using a technique called DCSync. However, there is currently no visibility into their end goals as they were purged from compromised environments before the attacks could proceed to the next stage.
To mitigate such risks, it’s essential that organizations do not expose their firewall management interfaces to the internet and limit the access to trusted users.
“The victimology in this campaign was not limited to any specific sectors or organization sizes,” the company said. “The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted.”
