Miscreants ‘mass exploited’ Fortinet firewalls, ‘highly probable’ zero-day used

January 14, 2025 TH Author

Miscreants running a “mass exploitation campaign” against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say they’ve observed the intrusions.

The team report the networking gear maker has yet to link the malicious activity to a specific flaw, assign a CVE, or patch a related hole.

Arctic Wolf Labs’ lead threat intelligence researcher Stefan Hostetler told The Register his colleagues noticed “a cluster of intrusions affecting Fortinet devices in the tens” beginning early last month and mostly occurring within three days of each other.

“The pattern of activity we observed was consistent with opportunistic widespread exploitation, given that each of the affected victim organizations had somewhere between hundreds to thousands of malicious login events on Fortinet firewall devices,” Hostetler told us.

He added this number of break-ins only represents “a limited sample compared to the total actual number of devices that were likely affected.”

In these attacks, the unknown criminals somehow gained access to Fortinet FortiGate firewalls with internet-exposed management interfaces. The lab reckons it’s “highly probable” a zero-day – a flaw that the vendor has been unaware to patch yet – was used.

With this access, they altered the firewall configurations, used SSL VPN tunnels to maintain a connection to the compromised devices, and then began stealing credentials for lateral movement through the victims’ networks. All the exact details of the intrusions are still being figured out, from what we can tell.

“While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected,” Hostetler along with Julian Tuin, Trevor Daher, Jon Grimm, Alyssa Newbury, Joe Wedderspoon, and Markus Neis explained in a write-up late last week.

Affected firmware versions range from 7.0.14, which was released in February 2024, and 7.0.16, released in October 2024.

Hostetler said the last traces of this campaign were observed in late December.

The threat intel team notified Fortinet about the digital break-ins on December 12, and received confirmation by FortiGuard Labs PSIRT that the malicious activity was under investigation as of December 17.

However, “Arctic Wolf Labs has not received confirmation from Fortinet that a specific vulnerability exists matching the campaign parameters that we observed, or whether said vulnerability has been fixed,” Hostetler noted.

Fortinet did not immediately respond to The Register‘s inquiries. We will update this story if we hear back from the firewall vendor.

Suspicious jsconsole logins

One of the interesting features of these attacks is their “extensive” use of the devices’ web-based command-line interface, logged by the firmware under a jsconsole label, with unusual source IP addresses that appear to be spoofed, we’re told. By unusual, we mean loopback and public DNS resolver addresses. This strange activity began as early as November 16 across victim orgs in a variety of sectors.

More specifically, we’re told that suspicious connections were opened from these likely spoofed IP addresses to TCP port 8023 (the web-based CLI port on the devices) as well as TCP port 9980, which is used for security fabric features and sending REST API queries to FortiGate gear.

“Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning between November 16, 2024 and the end of December 2024,” the lab team wrote.

While most of these sessions only lasted a second or less, in some cases, multiple logins or logouts occurred within the same second, and the team documented “up to four events occurring per second,” indicating these were automated attempts.

Despite the malicious login activity starting in mid-November, the Arctic Wolf pack notes the “impactful” aforementioned firewall configuration changes didn’t happen “en masse” until December 4 and continuing through December 7. The first unauthorized configuration change, however, was made on November 22.

And then the config changes began

In all of these, the attackers changed the output setting — this determines whether the user needs to interact with the web-based CLI console to see the next page of output — first setting it to “standard” before switching it to “more,” as in an input is needed to see more text, typically making these changes within 10 and 30 seconds of each other.

“The purpose of these changes is not known, but it may hint at threat actors’ preferred mode of interacting with the web console,” according to the report. “It is also possible that this was a simple means of verifying that access was successfully obtained to commit changes on exploited firewalls.”

And then, beginning December 4, “substantial changes” to configurations began with the intruders attempting to gain SSL VPN access to the compromised devices.

They used various methods to achieve this: In some instances, they created new super admin accounts, and then used these to open up to six local user accounts per device. All of these were ultimately added to the victim org’s existing groups created for SSL VPN access.

In other cases, however, existing accounts were hijacked and then also added to the existing groups with VPN access. Additionally, the miscreants created new SSL VPN portals and added user accounts directly to these.

Finally, once the attackers established SSL VPN tunnels, they harvested credentials to enable lateral movement within the victims’ networks. They used DC Sync, a technique that simulates a domain controller to extract password hashes for Active Directory accounts. A workstation with the hostname kali was observed in the attackers’ environment, suggesting the use of Kali Linux tools.

We don’t know what they planned to do with this admin access, however, because Arctic Wolf tells us “the threat actors were removed from affected environments before they could proceed any further.”

While the team doesn’t have direct visibility into the intruders’ end goal for the digital break-ins, “what we can say is that ransomware is not off the table,” Hostetler told us, citing earlier research during which the security shop spotted Akira and Fog ransomware affiliates using “some of the same network providers to establish VPN connectivity.”

Still, he cautioned, this is not an attribution as several criminal groups use the same providers. ®