New Campaign Targets Fortinet FortiGate Devices with Zero-Day Exploit

Cybersecurity researchers have uncovered a new campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the public internet. The attackers leveraged a zero-day vulnerability to gain unauthorized administrative access, manipulate configurations, and extract credentials for lateral movement within networks.

Key Findings from the Attack Campaign

According to cybersecurity firm Arctic Wolf, the campaign commenced in mid-November 2024, impacting Fortinet devices with firmware versions 7.0.14 to 7.0.16, released between February and October 2024. Threat actors exploited vulnerabilities in the firmware, leading to significant unauthorized actions, including:

1. Accessing Management Interfaces: Attackers gained administrative access through unknown means, presumed to be a zero-day exploit.

2. Credential Harvesting: Using the DCSync technique, attackers extracted credentials from affected systems.

3. Creation of New Admin Accounts: Super admin accounts and local user accounts were created, providing persistent access for future attacks.

4. VPN Misuse: New user accounts were added to SSL VPN groups, enabling the attackers to establish secure tunnels from VPS hosting providers.

Attack Phases

The campaign unfolded in four distinct phases:

1. Reconnaissance: Attackers scanned for vulnerable devices and altered configuration settings.

2. Initial Access: Unauthorized admin logins were used to infiltrate devices.

3. Privilege Escalation: Super admin and local user accounts were created.

4. Lateral Movement: Credentials were extracted via SSL VPN tunnels, potentially allowing further exploitation.

Unique Tradecraft

Researchers noted that attackers used the jsconsole interface and operated from unusual IP addresses associated with VPS hosting providers. The automation of login/logout events suggests opportunistic targeting, rather than specific organizational profiles. Victims spanned multiple sectors, emphasizing the broad nature of the attack.

Fortinet Confirms Zero-Day Exploit

Fortinet has since identified and disclosed a critical authentication bypass vulnerability in FortiOS and FortiProxy, tracked as CVE-2024-55591 with a CVSS score of 9.6. This vulnerability allows remote attackers to gain super-admin privileges through crafted requests targeting the Node.js websocket module.

Vulnerable Versions

The following versions are affected:

• FortiOS: 7.0.0 through 7.0.16 (patched in 7.0.17)

• FortiProxy: 7.0.0 through 7.0.19 (patched in 7.0.20) and 7.2.0 through 7.2.12 (patched in 7.2.13)

Actions Taken by Threat Actors

Fortinet confirmed that attackers used the zero-day vulnerability to:

• Create admin and local user accounts.

• Modify SSL VPN user groups.

• Make firewall policy changes.

Recommended Mitigation Steps

Organizations are urged to take immediate action to safeguard their networks:

1. Upgrade Firmware:

   • Update FortiOS to 7.0.17 or higher.

   • Update FortiProxy to 7.0.20 or 7.2.13 or higher.

2. Restrict Management Interfaces:

   • Disable access to management interfaces from the public internet.

   • Restrict access to trusted internal IP ranges.

3. Monitor and Audit:

   • Regularly monitor for unauthorized changes to configurations.

   • Audit accounts and remove any suspicious user additions.

4. Implement MFA:

   • Require multi-factor authentication (MFA) for all administrative access.

Conclusion

The Fortinet campaign underscores the importance of proactive cybersecurity measures. The attackers’ ability to exploit a zero-day vulnerability demonstrates the evolving sophistication of threat actors. Organizations must remain vigilant, update their systems, and implement robust access controls to minimize risk. Addressing these vulnerabilities swiftly is crucial to safeguarding critical infrastructure and sensitive data.