How Were Fortinet Firewalls Compromised by Sophisticated Attacks?

In mid-November 2024, a sophisticated cybersecurity threat emerged, targeting Fortinet FortiGate firewall devices with exposed management interfaces. This campaign involved unauthorized administrative access, leading to configuration changes and the creation of super-admin accounts. Cybersecurity firm Arctic Wolf analyzed this malicious activity, revealing that attackers utilized a zero-day vulnerability, indicating a high level of sophistication in their approach.

The Initial Discovery and Attack Timeline

Emergence of the Threat

The attack campaign was first noticed around November 16, 2024. It began with vulnerability scanning and reconnaissance, followed by configuration changes and lateral movement. Attackers exploited the jsconsole interface from unusual IP addresses, hinting at multiple threat actors or groups being involved due to diverse tradecraft and infrastructure nuances. This activity soon revealed a coordinated approach from the attackers, characterized by systematic phases that showed a clear understanding of the targeted systems.

By monitoring unusual IP addresses accessing the jsconsole interface, Arctic Wolf identified varied techniques and infrastructure used by the attackers. The initial phase of vulnerability scanning was followed by reconnaissance, where attackers began altering settings. These modifications included changing output settings from “standard” to “more” to facilitate data gathering. This step was critical as it allowed for deeper system insights before further compromises. The attack’s multi-faceted phases underscored a planned execution, blending automated scanning with manual interventions.

Phases of the Attack

The campaign’s phases included initial vulnerability scanning, reconnaissance, and subsequent configuration changes. Attackers modified settings such as changing the output setting from “standard” to “more” to facilitate early reconnaissance. As the campaign advanced, they created super-admin accounts and used these to set up additional local user accounts with SSL VPN access. Such actions represented a strategic progression where initial access and information gathering set the stage for broader control and deeper infiltration.

In the latter stages, the attackers’ focus shifted increasingly towards consolidating their control. By using super-admin privileges, attackers generated additional accounts, enabling sustained access. A notable tactic involved creating new local user accounts and assigning these users to SSL VPN access groups. This move not only simplified access but also facilitated lateral movement within networks. Hijacking existing accounts and incorporating them into newly created VPN access groups further complicated detection and response efforts, showcasing the attackers’ adaptability and organization.

Techniques and Tools Used by Attackers

Configuration Changes and Account Creation

A significant aspect of this attack was the alteration of firewall configurations. Attackers created super-admin accounts and used these to set up additional local user accounts with SSL VPN access. Some incidents saw existing user accounts hijacked and added to VPN access groups created by the victim organizations. This method allowed attackers to blend in with legitimate network traffic, making it harder for security teams to identify and isolate malicious activity.

The attackers displayed a keen understanding of firewall management processes, manipulating configurations to secure persistent access. By altering firewall settings and expanding the user base with privileged accounts, they effectively bypassed traditional security measures. Such actions played a crucial role in maintaining a stronghold within the compromised networks. The expansion of user access through stolen or newly created credentials revealed an intricate web of strategies aimed at evading detection. Each step demonstrated high technical acumen and an ability to exploit system defenses to their advantage.

SSL VPN Portals and Lateral Movement

One technique used by the attackers was the creation of new SSL VPN portals, to which they directly added user accounts. These VPN tunnels enabled the attackers to maintain a foothold in the compromised networks. The client IP addresses of these tunnels were traced back to a few VPS hosting providers, indicating a coordinated infrastructure. The strategic use of VPN tunnels facilitated seamless network traversal and evaded potential monitoring mechanisms in place.

The creation of dedicated SSL VPN portals demonstrated the attackers’ intent to sustain long-term access. By leveraging these tunnels, they maintained a consistent connection to the compromised networks, furthering lateral movement. This strategy involved setting up user accounts specifically tied to VPN portals, enabling unobstructed access pathways. The coordination observed in the client IP addresses, linked to specific VPS providers, suggested an organized effort supported by substantial resources. This methodical approach showcased the attackers’ emphasis on maintaining a covert and resilient network presence.

The Role of the Zero-Day Vulnerability

Exploitation of CVE-2024-55591

Fortinet confirmed the discovery of a new critical authentication bypass vulnerability in FortiOS and FortiProxy, designated as CVE-2024-55591, with a CVSS score of 9.6. This vulnerability permits remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. The vulnerability affects various versions of FortiOS and FortiProxy, necessitating urgent upgrades to the noted safer versions. The exploitation of this zero-day vulnerability highlighted a critical point of entry into the affected systems.

The vulnerability CVE-2024-55591 involved a crafted request tactic, enabling attackers to sidestep authentication protocols. Fortinet’s advisory underscored the need for immediate action, urging users to upgrade to secure versions. This bypass vulnerability not only granted super-admin rights but also exemplified the heightened risk associated with unpatched systems. The swift identification and public disclosure reflected the urgency in addressing this exposure. The exploitation demonstrated the attackers’ proficiency in locating and leveraging undisclosed weaknesses within widely used software.

Impact and Response

The active exploitation of CVE-2024-55591 has led to the inclusion of this flaw in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This inclusion requires federal agencies to apply fixes by January 21, 2025, reflecting the high-risk nature of this vulnerability. The mandate indicates the severity and potential widespread impact of the vulnerability, pushing for rapid remedial actions across affected industries.

The listing in the KEV catalog signaled a crucial move toward fortifying digital defenses. CISA’s directive emphasized the importance of timely patching to mitigate risks. This call to action not only targeted federal entities but also served as a broader advisory for all organizations using affected versions. The collaborative response between Fortinet and governmental bodies underscored a unified effort in addressing the threat. Enforcing strict deadlines for applying fixes aimed to curtail the window of exploitation, maintaining data integrity and organizational security.

Mitigation and Best Practices

Fortinet’s Advisory and Recommendations

Fortinet has been proactive in communicating with its customers, providing guidance on mitigating this risk, including solutions and workarounds. They continue to collaborate with government agencies and industry threat research organizations to bolster their response to this threat. Fortinet’s advisory stresses the importance of timely patching and continuous network monitoring to mitigate cyber risks. The comprehensive approach aims to enhance resilience against emerging threats and ensure sustained protection.

Advisories issued by Fortinet outlined specific steps for securing systems. Key recommendations included deploying updates to affected FortiOS and FortiProxy versions and implementing robust monitoring protocols. Additionally, guidance emphasized restricting access and continuously assessing network interfaces. The collaboration with external agencies and research bodies highlighted a multidisciplinary approach to threat mitigation. By fostering open communication channels, Fortinet ensured that users received accurate and timely updates, enabling informed decisions.

Importance of Securing Firewall Management Interfaces

The threat campaign involved hackers gaining unauthorized administrative access, which allowed them to make configuration changes and create new super-admin accounts, giving them broader control over the devices. Cybersecurity firm Arctic Wolf was quick to analyze this malicious activity. Their investigation revealed that the attackers had exploited a zero-day vulnerability, a flaw in the system that was previously unknown and thus unpatched. The use of such a vulnerability indicates that the attackers were highly skilled and had a deep understanding of the system. This level of sophistication in cyber attacks is particularly concerning, as it highlights the need for robust security measures and continuous monitoring of system vulnerabilities to prevent such breaches in the future.

Explore more

How Are A2A Payments Reshaping Global E-Commerce?

The traditional dominance of plastic-reliant credit card networks is finally crumbling as a more direct and cost-effective method of moving money begins to dominate the world of global digital commerce. For decades, the invisible architecture of the internet was built upon the foundations of the 1950s, using credit cards as a primary bridge between consumers and vendors. This system worked,

Aptar Unveils Durable Packaging Solutions for E-Commerce

The sticky residue of a leaked shampoo bottle pooling at the bottom of a cardboard box has become a familiar, albeit infuriating, ritual for many online shoppers today. This common consumer disappointment often marks the end of brand loyalty, as the unboxing experience—once a moment of high anticipation—transforms into a messy cleanup operation. For beauty and home care brands, ensuring

Intuit Enterprise Suite Delivers AI-Native ERP for Growth

The chasm between a mid-market company’s ambitious expansion goals and its actual operational capacity has historically been widened by fragmented software architectures that fail to communicate. While entry-level accounting tools serve their purpose during the early stages of a startup, they often become a liability as complexity increases, leaving finance teams to bridge the gaps with manual spreadsheets and guesswork.

Is macOS 27 Golden Gate More Than Just Apple Intelligence?

The launch of the macOS 27 Golden Gate public beta marks a significant evolution in Apple’s long-standing effort to reconcile high-level automation with the granular control required by power users. While the promotional narrative surrounding this release is dominated by the sophisticated capabilities of Apple Intelligence and a revamped Siri, the update offers far more than just a layer of

OpenAI Shifts to Outcome-First Prompting for GPT-5.6 Sol

The transition from instructional prompt engineering to a goal-oriented framework represents a seismic shift in how human operators interact with large language models during the current technological cycle. For years, the industry relied on meticulously crafted chain-of-thought instructions to ensure accuracy, but the arrival of GPT-5.6 Sol marks the end of this labor-intensive era. This new architecture prioritizes the final