Ethical Hacking News
A new cyber threat campaign is believed to be targeting a zero-day vulnerability in Fortinet's FortiGate firewalls, with management interfaces exposed online. Experts warn that organizations must take immediate action to disable firewall management access on public interfaces to prevent unauthorized access to their network devices.
Fortinet's FortiGate firewalls are likely being targeted by a zero-day vulnerability in management interfaces exposed online. Threat actors gained unauthorized access by exploiting the zero-day vulnerability, using an unusual IP address and jsconsole interface. The attack unfolded in four phases: vulnerability scanning (Nov 16-23), reconnaissance (Nov 22-27), SSL VPN setup (Dec 4-7), and lateral movement (Dec 16-27). The attackers targeted firmware versions between 7.0.14 and 7.0.16, which may have introduced new vulnerabilities. Experts warn that organizations must take swift action to disable firewall management access, keep firmware up-to-date, and monitor for suspicious activity.
A new campaign is likely targeting a zero-day in Fortinet's FortiGate firewalls, with management interfaces exposed online. This alarming development has left cybersecurity experts on high alert, urging organizations to take swift and decisive action to protect their networks from potential breaches.
The threat actors involved in this campaign are believed to have gained unauthorized access to network devices by exploiting the zero-day vulnerability in the FortiGate firewalls' management interfaces. According to Arctic Wolf researchers, the attackers made extensive use of the jsconsole interface from a handful of unusual IP addresses, which served as a common thread across the board.
The attack is thought to have begun in November 2024 and unfolded in four phases: vulnerability scanning (November 16-23, 2024), reconnaissance (November 22-27), SSL VPN setup (December 4-7), and lateral movement (December 16-27). During this period, the researchers observed hundreds to thousands of short-lived, automated jsconsole logins from anomalous IPs across diverse victim organizations. The targeting appeared opportunistic rather than targeted.
In the reconnaissance phase, experts noticed that the attack targeted firmware versions of devices ranging between 7.0.14 and 7.0.16, which were released on February 2024 and October 2024 respectively. It is worth noting that these firmware versions may have introduced new vulnerabilities that were exploited by the threat actors.
In the next phase (starting December 4, 2024), attackers targeted SSL VPN access by creating super admin accounts or hijacking existing ones. They added new local accounts to VPN groups or directly to SSL VPN portals. Attackers also reset the guest account password, created new VPN portals, and used specific ports (4433, 59449, 59450). Furthermore, they established SSL VPN tunnels using client IPs from VPS hosting providers.
In some intrusions, attackers used remote IP addresses without attempting to spoof their own, and these IPs later matched those of malicious tunnels. Additionally, the https UI was used instead of jsconsole, with new accounts created instead of the admin account.
The final phase observed in this campaign involved the threat actors seeking to extract credentials for lateral movement upon successfully establishing SSL VPN access in victim organization environments. They used DCSync to extract domain admin credentials, and a workstation hostname of "kali." At this point, the threat actors were removed from affected environments before they could proceed any further.
The campaign is believed to have begun in November 2024 and was active until December 27, 2024. During this period, the researchers observed extensive malicious activities on compromised firewalls, which may be incomplete due to limited visibility.
Experts warn that organizations must take immediate action to disable firewall management access on public interfaces to prevent unauthorized access to their network devices. They also recommend keeping firmware versions up-to-date and monitoring for suspicious activity.
The growing threat of zero-day vulnerabilities in Fortinet's FortiGate firewalls highlights the importance of staying vigilant and proactive when it comes to cybersecurity. As new threats emerge, organizations must be prepared to respond swiftly and effectively to protect their networks and prevent potential breaches.
Related Information:
https://securityaffairs.com/173050/hacking/attackers-target-zero-day-in-fortinet-fortigate-firewalls.html
Published: Tue Jan 14 07:17:41 2025 by llama3.2 3B Q4_K_M
