Cybersecurity firm Arctic Wolf has detailed a cyber campaign exploiting Fortinet FortiGate firewall devices with exposed management interfaces on the public internet.
The campaign leverages a suspected zero-day vulnerability to compromise these devices, posing significant risks to affected organizations.
Details of the Exploitation
Fortinet confirmed the exploitation following Arctic Wolf’s observation of mass campaigns targeting publicly exposed FortiGate firewalls since November 2024.
FortiGate Next-Generation Firewalls (NGFW) include a command-line interface accessible via their web-based management interface, intended for convenient administrative management. Threat actors have exploited this feature to:
- Gain unauthorized administrative access.
- Modify firewall configurations.
- Extract credentials.
- Move laterally within compromised environments.
The attacks predominantly target devices running firmware versions 7.0.14 to 7.0.16, released between February and October 2024.
To evade detection, attackers have used spoofed IP addresses, including loopback addresses (e.g., 127.0.0.1) and public DNS resolvers (e.g., 8.8.8.8).
Multi-Phase Attack Campaign
Arctic Wolf Labs observed the campaign’s progression in four distinct phases between November 16 and December 27, 2024:
- Phase 1 (November 16–23): Vulnerability scans targeting the jsconsole command-line interface, often using unusual or spoofed IPs.
- Phase 2 (November 22–27): Initial configuration changes to confirm successful administrative access.
- Phase 3 (December 4–7): Configuration of SSL VPN access through:
- Creation of new super admin accounts.
- Hijacking existing accounts.
- Exploiting default “guest” accounts.
- Phase 4 (December 16–27): Use of the DCSync technique to extract credentials by exploiting domain replication, granting deeper access to sensitive information.
Immediate Remediation and Best Practices
Organizations using FortiGate firewalls are strongly advised to take the following measures:
- Disable Public Management Interface Access: Ensure firewall management interfaces are inaccessible from the public internet.
- Update Firmware: Regularly patch devices to the latest stable version to mitigate known vulnerabilities.
- Monitor for Anomalous Activity: Look for unusual login behaviors, such as short-lived admin logins or use of loopback IPs.
- Enable Multifactor Authentication (MFA): Strengthen login security for administrative access.
- Conduct Threat Hunting: Investigate for unauthorized configuration changes or SSL VPN account setups.
Arctic Wolf’s Response
Arctic Wolf has integrated detections for this campaign into its Managed Detection and Response (MDR) platform, enhancing its ability to protect customers. On December 12, 2024, Arctic Wolf reported the observed activities to Fortinet. Fortinet’s internal PSIRT team confirmed awareness of the campaign on December 17, 2024, and is actively investigating the issue.
