In mid-November 2024, a sophisticated cybersecurity threat emerged, targeting Fortinet FortiGate firewall devices with exposed management interfaces. This campaign involved unauthorized administrative access, leading to configuration changes and the creation of super-admin accounts. Cybersecurity firm Arctic Wolf analyzed this malicious activity, revealing that attackers utilized a zero-day vulnerability, indicating a high level of sophistication in their approach.
The Initial Discovery and Attack Timeline
Emergence of the Threat
The attack campaign was first noticed around November 16, 2024. It began with vulnerability scanning and reconnaissance, followed by configuration changes and lateral movement. Attackers exploited the jsconsole interface from unusual IP addresses, hinting at multiple threat actors or groups being involved due to diverse tradecraft and infrastructure nuances. This activity soon revealed a coordinated approach from the attackers, characterized by systematic phases that showed a clear understanding of the targeted systems.
By monitoring unusual IP addresses accessing the jsconsole interface, Arctic Wolf identified varied techniques and infrastructure used by the attackers. The initial phase of vulnerability scanning was followed by reconnaissance, where attackers began altering settings. These modifications included changing output settings from “standard” to “more” to facilitate data gathering. This step was critical as it allowed for deeper system insights before further compromises. The attack’s multi-faceted phases underscored a planned execution, blending automated scanning with manual interventions.
Phases of the Attack
The campaign’s phases included initial vulnerability scanning, reconnaissance, and subsequent configuration changes. Attackers modified settings such as changing the output setting from “standard” to “more” to facilitate early reconnaissance. As the campaign advanced, they created super-admin accounts and used these to set up additional local user accounts with SSL VPN access. Such actions represented a strategic progression where initial access and information gathering set the stage for broader control and deeper infiltration.
In the latter stages, the attackers’ focus shifted increasingly towards consolidating their control. By using super-admin privileges, attackers generated additional accounts, enabling sustained access. A notable tactic involved creating new local user accounts and assigning these users to SSL VPN access groups. This move not only simplified access but also facilitated lateral movement within networks. Hijacking existing accounts and incorporating them into newly created VPN access groups further complicated detection and response efforts, showcasing the attackers’ adaptability and organization.
Techniques and Tools Used by Attackers
Configuration Changes and Account Creation
A significant aspect of this attack was the alteration of firewall configurations. Attackers created super-admin accounts and used these to set up additional local user accounts with SSL VPN access. Some incidents saw existing user accounts hijacked and added to VPN access groups created by the victim organizations. This method allowed attackers to blend in with legitimate network traffic, making it harder for security teams to identify and isolate malicious activity.
The attackers displayed a keen understanding of firewall management processes, manipulating configurations to secure persistent access. By altering firewall settings and expanding the user base with privileged accounts, they effectively bypassed traditional security measures. Such actions played a crucial role in maintaining a stronghold within the compromised networks. The expansion of user access through stolen or newly created credentials revealed an intricate web of strategies aimed at evading detection. Each step demonstrated high technical acumen and an ability to exploit system defenses to their advantage.
SSL VPN Portals and Lateral Movement
One technique used by the attackers was the creation of new SSL VPN portals, to which they directly added user accounts. These VPN tunnels enabled the attackers to maintain a foothold in the compromised networks. The client IP addresses of these tunnels were traced back to a few VPS hosting providers, indicating a coordinated infrastructure. The strategic use of VPN tunnels facilitated seamless network traversal and evaded potential monitoring mechanisms in place.
The creation of dedicated SSL VPN portals demonstrated the attackers’ intent to sustain long-term access. By leveraging these tunnels, they maintained a consistent connection to the compromised networks, furthering lateral movement. This strategy involved setting up user accounts specifically tied to VPN portals, enabling unobstructed access pathways. The coordination observed in the client IP addresses, linked to specific VPS providers, suggested an organized effort supported by substantial resources. This methodical approach showcased the attackers’ emphasis on maintaining a covert and resilient network presence.
The Role of the Zero-Day Vulnerability
Exploitation of CVE-2024-55591
Fortinet confirmed the discovery of a new critical authentication bypass vulnerability in FortiOS and FortiProxy, designated as CVE-2024-55591, with a CVSS score of 9.6. This vulnerability permits remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. The vulnerability affects various versions of FortiOS and FortiProxy, necessitating urgent upgrades to the noted safer versions. The exploitation of this zero-day vulnerability highlighted a critical point of entry into the affected systems.
The vulnerability CVE-2024-55591 involved a crafted request tactic, enabling attackers to sidestep authentication protocols. Fortinet’s advisory underscored the need for immediate action, urging users to upgrade to secure versions. This bypass vulnerability not only granted super-admin rights but also exemplified the heightened risk associated with unpatched systems. The swift identification and public disclosure reflected the urgency in addressing this exposure. The exploitation demonstrated the attackers’ proficiency in locating and leveraging undisclosed weaknesses within widely used software.
Impact and Response
The active exploitation of CVE-2024-55591 has led to the inclusion of this flaw in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This inclusion requires federal agencies to apply fixes by January 21, 2025, reflecting the high-risk nature of this vulnerability. The mandate indicates the severity and potential widespread impact of the vulnerability, pushing for rapid remedial actions across affected industries.
The listing in the KEV catalog signaled a crucial move toward fortifying digital defenses. CISA’s directive emphasized the importance of timely patching to mitigate risks. This call to action not only targeted federal entities but also served as a broader advisory for all organizations using affected versions. The collaborative response between Fortinet and governmental bodies underscored a unified effort in addressing the threat. Enforcing strict deadlines for applying fixes aimed to curtail the window of exploitation, maintaining data integrity and organizational security.
Mitigation and Best Practices
Fortinet’s Advisory and Recommendations
Fortinet has been proactive in communicating with its customers, providing guidance on mitigating this risk, including solutions and workarounds. They continue to collaborate with government agencies and industry threat research organizations to bolster their response to this threat. Fortinet’s advisory stresses the importance of timely patching and continuous network monitoring to mitigate cyber risks. The comprehensive approach aims to enhance resilience against emerging threats and ensure sustained protection.
Advisories issued by Fortinet outlined specific steps for securing systems. Key recommendations included deploying updates to affected FortiOS and FortiProxy versions and implementing robust monitoring protocols. Additionally, guidance emphasized restricting access and continuously assessing network interfaces. The collaboration with external agencies and research bodies highlighted a multidisciplinary approach to threat mitigation. By fostering open communication channels, Fortinet ensured that users received accurate and timely updates, enabling informed decisions.
Importance of Securing Firewall Management Interfaces
The threat campaign involved hackers gaining unauthorized administrative access, which allowed them to make configuration changes and create new super-admin accounts, giving them broader control over the devices. Cybersecurity firm Arctic Wolf was quick to analyze this malicious activity. Their investigation revealed that the attackers had exploited a zero-day vulnerability, a flaw in the system that was previously unknown and thus unpatched. The use of such a vulnerability indicates that the attackers were highly skilled and had a deep understanding of the system. This level of sophistication in cyber attacks is particularly concerning, as it highlights the need for robust security measures and continuous monitoring of system vulnerabilities to prevent such breaches in the future.