Threat hunters are taking notice of a new campaign targeting Fortinet FortiGate firewalls with management interfaces exposed on the public Internet.
“The campaign involved unauthorized administrative logins to firewall management interfaces, creating new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” cyber security firm Arctic Wolf said. said in an analysis published last week.
It is believed to be malicious activity started in mid-November 2024. unknown threat actors gained unauthorized access to management interfaces on compromised firewalls to change configurations and obtain credentials using DCSync.
The exact initial access vector is currently unknown, although it has been assessed with “high confidence” that it is likely due to the exploitation of a zero-day vulnerability, given the “compressed timeline at the affected organizations, as well as the affected firmware versions.”
The firmware versions of the affected devices ranged between 7.0.14 and 7.0.16, which were released in February and October 2024, respectively.
The campaign was seen to go through four distinct attack phases that began around November 16, 2024, allowing malicious actors to move from vulnerability scanning and reconnaissance to reconfiguration and lateral movement.
“What makes this activity stand out from legitimate firewall activity is the fact that they used the jsconsole interface extensively from several unusual IP addresses,” Arctic Wolf researchers said.
“Given the slight differences in trade and infrastructure between the invasions, it is possible that multiple individuals or groups were involved in this campaign, but the use of jsconsole was a common theme for all.”
Digital hacking, in a nutshell, involved attackers logging into firewall management interfaces to make configuration changes, including modifying output setting from “standard” to “more” as part of early scouting before making a broader change to create new super admin accounts in early December 2024.
These newly created super administrator accounts are said to have subsequently been used to create six new local user accounts and add them to existing groups previously created by the victim organizations for SSL VPN access. In other cases, existing accounts were hijacked and added to groups with VPN access.
“Threat actors have also been observed creating new SSL VPN portals into which they directly add user accounts,” noted Arctic Wolf. “After making the necessary changes, the threat actors established SSL VPN tunnels with the affected devices. All client IP addresses of the tunnels came from multiple VPS hosting providers.”
The campaign culminated in adversaries using SSL VPN access to obtain credentials for lateral movement using a method called DCSync. However, there is currently no visibility into their ultimate targets as they were cleared of compromised environments before the attacks could progress to the next stage.
To reduce such risks, it is critical that organizations do not expose firewall management interfaces to the Internet and restrict access to trusted users.
“Victimology in this campaign was not limited to any particular sector or size of organization,” the company said. “The diversity of victim organization profiles, combined with the emergence of automated log-in/log-out events, suggests that the targeting was opportunistic rather than deliberate and methodical.”
