Ethical Hacking News
A new campaign has been reported that targets Fortinet firewalls with exposed management interfaces on the public internet, exploiting a zero-day vulnerability to gain unauthorized access. The malicious activity was observed going through four distinct attack phases, involving unauthorized administrative logins, creation of new accounts, and configuration changes. To mitigate such risks, organizations are advised to limit access to trusted users, keep up-to-date with security patches and firmware updates, and implement robust security measures.
The Fortinet firewall campaign targets devices with exposed management interfaces on the public internet.The attack is believed to be driven by a zero-day vulnerability, with unknown threat actors gaining unauthorized access to management interfaces.Threat actors altered configurations, extracted credentials, and created new accounts using DCSync.The campaign has been observed going through four distinct attack phases, starting from November 16, 2024.The attackers used the jsconsole interface from unusual IP addresses to make configuration changes.Newly created super admin accounts were used to set up local user accounts and add them to existing groups for SSL VPN access.Threat actors established SSL VPN tunnels with affected devices, leveraging credentials for lateral movement using DCSync.The campaign highlights the importance of keeping security patches and firmware updates current and implementing robust security measures.
Zero-day vulnerabilities have been a major concern for cybersecurity experts and organizations alike, as they can be exploited by attackers to gain unauthorized access to systems and data. Recently, a new campaign has been reported that targets Fortinet firewalls with exposed management interfaces on the public internet. The malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync.
The exact initial access vector is currently not known, although it has been assessed with "high confidence" that it's likely driven by the exploitation of a zero-day vulnerability given the "compressed timeline across affected organizations as well as firmware versions affected." The firmware versions of devices that were impacted ranged between 7.0.14 and 7.0.16, which were released in February and October 2024 respectively.
Threat hunters are calling attention to this new campaign, which involves unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes. The malicious activity is believed to have commenced around November 16, 2024, allowing the bad actors to progress from vulnerability scanning and reconnaissance to configuration changes and lateral movement.
The campaign has been observed going through four distinct attack phases that commenced around November 16, 2024, allowing the bad actors to progress from vulnerability scanning and reconnaissance to configuration changes and lateral movement. What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses.
Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board. The digital break-ins, in a nutshell, involved the attackers logging in to the firewall management interfaces to make configuration changes, including modifying the output setting from "standard" to "more," as part of early reconnaissance efforts, before making more extensive changes to create new super admin accounts at the start of December 2024.
These newly created super admin accounts are said to have been subsequently used to set up as many as six new local user accounts and add them to existing groups that had been previously created by victim organizations for SSL VPN access. In other incidents, existing accounts were hijacked and added to groups with VPN access. Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly.
Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers. The campaign culminated with the adversaries leveraging the SSL VPN access to extract credentials for lateral movement using a technique called DCSync. That said, there is currently no visibility into their end goals as they were purged from compromised environments before the attacks could proceed to the next stage.
To mitigate such risks, it's essential that organizations do not expose their firewall management interfaces to the internet and limit the access to trusted users. The victimology in this campaign was not limited to any specific sectors or organization sizes, as the diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted.
The discovery of this new campaign highlights the importance of keeping up-to-date with the latest security patches and firmware updates for network devices. It also emphasizes the need for organizations to implement robust security measures, such as multi-factor authentication and regular vulnerability assessments, to protect themselves against zero-day vulnerabilities.
Furthermore, it is essential for organizations to educate their employees on cybersecurity best practices, including the importance of not clicking on suspicious links or using weak passwords. By taking proactive steps to secure their networks and systems, organizations can reduce the risk of falling victim to attacks like this one.
In conclusion, the recent campaign targeting Fortinet firewalls with exposed management interfaces on the public internet serves as a reminder of the ongoing threat landscape in the cybersecurity world. As such, it is crucial for organizations to remain vigilant and take proactive steps to secure their networks and systems against emerging threats like zero-day vulnerabilities.
Related Information:
https://thehackernews.com/2025/01/zero-day-vulnerability-suspected-in.html
https://cybersecuritynews.com/fortinet-fortigate-firewalls-under-attack-by-exploit-a-zero-day-vulnerability/
Published: Tue Jan 14 04:34:05 2025 by llama3.2 3B Q4_K_M
