Threat hunters are calling attention to a new campaign that has targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public internet.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” cybersecurity firm Arctic Wolf said in an analysis published last week.
The malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync.
The exact initial access vector is currently not known, although it has been assessed with “high confidence” that it’s likely driven by the exploitation of a zero-day vulnerability given the “compressed timeline across affected organizations as well as firmware versions affected.”
The firmware versions of devices that were impacted ranged between 7.0.14 and 7.0.16, which were released in February and October 2024 respectively.
The campaign has been observed going through four distinct attack phases that commenced around November 16, 2024, allowing the bad actors to progress from vulnerability scanning and reconnaissance to configuration changes and lateral movement.
“What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses,” Arctic Wolf researchers said.
“Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board.”
The digital break-ins, in a nutshell, involved the attackers logging in to the firewall management interfaces to make configuration changes, including modifying the output setting from “standard” to “more,” as part of early reconnaissance efforts, before making more extensive changes to create new super admin accounts at the start of December 2024.
These newly created super admin accounts are said to have been subsequently used to set up as many as six new local user accounts per device and add them to existing groups that had been previously created by victim organizations for SSL VPN access. In other incidents, existing accounts were hijacked and added to groups with VPN access.
“Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly,” Arctic Wolf noted. “Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers.”
The campaign culminated with the adversaries leveraging the SSL VPN access to extract credentials for lateral movement using a technique called DCSync. That said, there is currently no visibility into their end goals as they were purged from compromised environments before the attacks could proceed to the next stage.
To mitigate such risks, it’s essential that organizations do not expose their firewall management interfaces to the internet and limit the access to trusted users.
“The victimology in this campaign was not limited to any specific sectors or organization sizes,” the company said. “The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted.”
