A new campaign has attracted the attention of security researchers where Fortigate devices with publicly exposed management interfaces are being targeted. The campaign is believed to have started somewhere in November 2024, where unknown threat actors gained unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync.
The cybersecurity research firm Arctic Wolf released their analysis detailing that attackers were able to access unauthorized administrative logins on management interfaces of firewalls, create new accounts, manage SSL VPN authentication and perform various other configuration changes through those accounts. Although the exact initial access vector remains unknown, the proceedings seem to involve the exploitation of a zero-day vulnerability that affected firmware versions ranging between 7.0.14 and 7.0.16.
The differential factor in the operations of this campaign is the fact that they have extensively used the jsconsole interface from a handful of unusual IP addresses, which also points out that multiple individuals or groups may have been involved in this campaign.
The attackers were able to log in to the firewall management interfaces to make configuration changes, including modifying the output setting from “standard” to “more” and provisioning new super admin accounts. The created super admin accounts were then used to set up as many as six new local user accounts per device and add them to existing groups of target organizations for SSL VPN access. Malicious actors created secure connections (SSL VPN tunnels) to the compromised devices. All client IP addresses used in these tunnels were traced back to a small group of Virtual Private Server (VPS) providers.
Fortinet has confirmed the zero-day and published details of a new critical authentication bypass vulnerability in FortiOS and FortiProxy (CVE-2024-55591, CVSS score: 9.6) that it said is responsible for hijacking firewalls and breaching enterprise networks.
The affected versions include –
- FortiOS 7.0.0 – 7.0.16 (Upgrade to 7.0.17 or above)
- FortiProxy 7.0.0 – 7.0.19 (Upgrade to 7.0.20 or above)
- FortiProxy 7.2.0 – 7.2.12 (Upgrade to 7.2.13 or above)
Organizations are advised not to expose their firewall management interfaces to the internet and limit the access to trusted users.
Meanwhile, U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by January 21, 2025.
