Recent reports have highlighted a concerning campaign targeting Fortinet FortiGate firewalls with exposed management interfaces on the public internet. Released by cybersecurity firm Arctic Wolf, this analysis reveals significant unauthorized access to these critical devices. The attackers were able to log in as administrators, create new accounts, authenticate through SSL VPNs, and make various other configuration changes without authorization.

This malicious activity is believed to have initiated in mid-November 2024, with threat actors exploiting management interfaces to alter configurations and extract credentials through a technique known as DCSync. While the precise method for gaining initial access remains unclear, there is a high level of confidence among experts that the attack was driven by the exploitation of a zero-day vulnerability, based on the rapid sequence of events and the firmware versions impacted.

The firmware versions targeted in this campaign span from 7.0.14 to 7.0.16, released between February and October 2024. The attack unfolded through four distinct phases starting around November 16, 2024, indicating a strategic progression from reconnaissance to more severe threats such as configuration modifications and lateral movement. Notably, attackers utilized the jsconsole interface from a limited number of unusual IP addresses, differentiating their tactics from regular firewall usage.

Arctic Wolf researchers noted the sophistication of these maneuvers, indicating that while multiple individuals or groups may have been involved, the common thread was the specific usage of jsconsole. Initial access allowed the attackers to log in, make configuration adjustments—such as changing the output setting for enhanced reconnaissance—and, by early December, create new super admin accounts that could establish additional local user accounts across affected devices.

This unauthorized privilege escalation was accompanied by the creation of SSL VPN portals, which further facilitated the extraction of credentials necessary for lateral movements within victim networks. The actors established SSL VPN tunnels that originated from several VPS hosting services, indicating a deliberate strategy to obfuscate their activities.

Fortinet confirmed the exploitation of a new critical vulnerability, identified as CVE-2024-55591, which permits remote attackers to gain super-admin privileges via crafted requests to its websocket module. This vulnerability affects various FortiOS and FortiProxy versions and has been recognized as being leveraged to create admin accounts and modify firewall policies. As of now, no clear objectives of the attackers have been established, as they purged any trace of their presence before executing further stages of the attack.

In response to these active exploitation efforts, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has incorporated this vulnerability into its Known Exploited Vulnerabilities catalog, demanding immediate remediation from federal agencies. Fortinet continues to communicate proactively with its customers, providing necessary guidance and urging vigilance against this critical threat.

This incident underscores the importance of securing firewall management interfaces and limiting internet exposure. Business owners must remain vigilant, employing robust security practices to mitigate risks posed by evolving cyber threats. The ongoing developments illustrate that cyber adversaries are continuously adapting their tactics, and organizations must keep pace to protect their digital environments effectively.

In examining the MITRE ATT&CK framework, tactics such as initial access, privilege escalation, and credential access are demonstrative of the methodology employed in this campaign. Organizations should prioritize closing vulnerabilities and limiting access to sensitive interfaces as part of their overarching cybersecurity strategies.