Fortinet Firewalls Targeted in Mass Exploitation Campaign
2025-01-14
Need some ammo against Fortinet? Discover the implications of unpatched vulnerabilities and mass exploitation campaigns.
In December, a mass exploitation campaign targeted Fortinet firewalls, potentially utilizing an unpatched zero-day vulnerability, although the exact flaw remains unidentified. Attackers accessed FortiGate firewalls through internet-exposed management interfaces, altering configurations and using SSL VPN tunnels for persistence. This allowed them to steal credentials for lateral movement within networks. The intrusions began in November, with suspicious activity involving unusual IP addresses and web-based command-line interface interactions. Despite notifying Fortinet, the specific vulnerability and its resolution remain unconfirmed.
Zero-Day, Misconfiguration, Weak or Compromised Credentials
Fortinet, FortiGate, Zero-Day, Exploitation, SSL VPN, Credential Theft
N/A
Fortinet, FortiGate, SSL VPN, Active Directory
In December, a significant exploitation campaign was identified targeting Fortinet firewalls. Security researchers observed unauthorized access to Fortinet FortiGate devices, potentially leveraging an unpatched zero-day vulnerability. This type of vulnerability is one that the vendor has not yet identified or patched, making it a prime target for attackers. The incidents were first noticed in November, with a peak in activity in early December. Researchers observed patterns suggesting widespread and opportunistic exploitation. Affected organizations experienced hundreds to thousands of unauthorized login attempts on their Fortinet firewall devices over a concise timeframe. Attackers exploited internet-exposed management interfaces on FortiGate firewalls. Once access was gained, they altered firewall configurations and used SSL VPN tunnels to maintain a foothold in the compromised systems. This allowed them to steal credentials, facilitating lateral movement within the victims' networks. The attackers interacted with the devices' web-based command-line interface, often using spoofed IP addresses. These IP addresses included unusual ones, such as loopback and public DNS resolver addresses, targeting TCP port 8023 and port 9980. The attackers made incremental configuration changes, initially altering settings related to the web-based CLI console output. Starting December 4, they made more substantial changes, including creating new super admin accounts and adding user accounts to existing SSL VPN access groups. In some cases, attackers hijacked existing accounts to expand their access. The threat intelligence team reported the intrusions to Fortinet on December 12. By December 17, FortiGuard Labs PSIRT confirmed an investigation was underway. However, there has been no confirmation from Fortinet regarding the specific vulnerability or its patch status. The exploitation's impact is amplified by the attackers' ability to establish SSL VPN tunnels and harvest credentials, enabling further network infiltration. The ongoing investigation aims to clarify the attack vector and provide appropriate mitigations.Mass Exploitation Campaign Targets Fortinet Firewalls
Timeline and Observations
Attack Vector and Techniques
Configuration Changes and Impact
Investigation and Response
https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/