Ethical Hacking News
Fortinet has issued a warning about a new zero-day vulnerability (CVE-2024-55591) targeting firewalls with exposed management interfaces, which can allow remote attackers to gain super-admin privileges via crafted requests. The vulnerability affects FortiOS and FortiProxy versions 7.0.0 through 7.0.16 and 7.2.0 through 7.2.12. Organizations are advised to prioritize their security posture, implement timely patching practices, and monitor their networks for unusual activity.
Fortinet has issued a warning about a new zero-day vulnerability (CVE-2024-55591) that can allow remote attackers to gain super-admin privileges. The vulnerability affects FortiOS and FortiProxy versions 7.0.0 through 7.0.16 and 7.2.0 through 7.2.12, with patching recommended by January 21, 2025 for federal agencies. Threat actors have used the vulnerability to create admin and local user accounts, set up new user groups, and make firewall policy changes on affected firewalls. The attack campaign involved four phases: vulnerability scanning and reconnaissance, configuration changes, lateral movement, and exploiting SSL VPN authentication. Organizations are advised to limit exposure of firewall management interfaces, prioritize security posture, implement timely patching practices, and monitor networks for unusual activity.
Fortinet, a leading cybersecurity firm, has issued a warning about a new zero-day vulnerability that has been used in attacks on firewalls with exposed management interfaces. The vulnerability, identified as CVE-2024-55591, is a critical authentication bypass vulnerability that can allow remote attackers to gain super-admin privileges via crafted requests.
According to Fortinet's advisory, the vulnerability affects FortiOS and FortiProxy versions 7.0.0 through 7.0.16 (upgrade to 7.0.17 or above) and 7.2.0 through 7.2.12 (upgrade to 7.2.13 or above). The vulnerability has been weaponized by unknown threat actors to create admin and local user accounts, set up new user groups, and make firewall policy changes.
Threat hunters have observed that the malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync. The exact initial access vector is currently not known, although it has been assessed with "high confidence" that it's likely driven by the exploitation of a zero-day vulnerability.
Arctic Wolf, a cybersecurity firm, released an analysis last week, which revealed that the campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes. The malicious activity is believed to have followed four distinct attack phases, starting with vulnerability scanning and reconnaissance, progressing to configuration changes and lateral movement.
The digital break-ins, in a nutshell, involved the attackers logging in to the firewall management interfaces to make configuration changes, including modifying the output setting from "standard" to "more," as part of early reconnaissance efforts, before making more extensive changes to create new super admin accounts at the start of December 2024. These newly created super admin accounts were subsequently used to set up as many as six new local user accounts per device and add them to existing groups that had been previously created by victim organizations for SSL VPN access.
Threat actors were also observed creating new SSL VPN portals, which they added user accounts to directly. Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers.
The campaign culminated with the adversaries leveraging the SSL VPN access to extract credentials for lateral movement using a technique called DCSync. However, there is currently no visibility into their end goals as they were purged from compromised environments before the attacks could proceed to the next stage.
To mitigate such risks, it's essential that organizations do not expose their firewall management interfaces to the internet and limit the access to trusted users. The victimology in this campaign was not limited to any specific sectors or organization sizes, but rather appeared to be opportunistic in nature.
Fortinet has published a detailed advisory for the vulnerability, along with solutions and workarounds to help customers mitigate their risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by January 21, 2025.
In light of this new vulnerability, cybersecurity experts are advising organizations to prioritize their security posture, implement timely patching practices, and monitor their networks for unusual activity. They also recommend that customers refer to Fortinet's advisory and follow the guidance provided for CVE-2024-55591.
Related Information:
https://thehackernews.com/2025/01/zero-day-vulnerability-suspected-in.html
Published: Wed Jan 15 00:49:16 2025 by llama3.2 3B Q4_K_M
