One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8637225 |
| Date de publication | 2025-01-14 21:51:07 (vue: 2025-01-14 16:53:30) |
| Titre | Zero-Day Vulnerability Targets Fortinet FortiGate Firewalls |
| Texte | Cybersecurity firm Arctic Wolf disclosed on Friday that threat actors recently targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public Internet in a suspected zero-day campaign.
According to Arctic Wolf Labs researchers, malicious activity against Fortinet firewalls began in mid-November 2024. Unknown threat actors altered firewall configurations by accessing management interfaces on affected firewalls and extracting credentials using DCSync in compromised environments.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” security researchers at Arctic Wolf wrote in a blog post published last week.
While the initial access vector used in this campaign currently remains unknown, Arctic Wolf Labs is highly confident that a zero-day vulnerability’s “mass exploitation campaign” is likely, considering the constricted timelines across affected organizations and the range of affected firmware versions.
The firmware versions ranging from 7.0.14 and 7.0.16 were predominantly affected, which were released in February 2024 and October 2024 respectively.
Arctic Wolf Labs has currently identified four separate attack phases of the campaign that targeted vulnerable FortiGate devices between November 2024 and December 2024:
Phase 1: Vulnerability scanning (November 16, 2024 to November 23, 2024)
Phase 2: Reconnaissance (November 22, 2024 to November 27, 2024)
Phase 3: SSL VPN configuration (December 4, 2024 to December 7, 2024)
Phase 4: Lateral Movement (December 16, 2024 to December 27, 2024)
In the first phase, the threat actors conducted vulnerability scans and made use of jsconsole sessions with connections to and from unusual IP addresses, such as loopback addresses (e.g., 127.0.0.1) and popular DNS resolvers including Google Public DNS and Cloudflare, making them an ideal target for threat hunting.
In the reconnaissance phase, the attackers made the first unauthorized configuration changes across several victim organizations to verify whether they had successfully obtained access to commit changes on exploited firewalls.
During the third phase of the campaign, threat actors made substantial changes to compromised devices to establish SSL VPN access.
In some intrusions, they created new super admin accounts, while in others, they hijacked existing accounts to gain SSL VPN access. Threat actors also created new SSL VPN portals where the user accounts were added directly.
In the last phase, after successfully gaining SSL VPN access within the victim organization’s environment, the threat actors used the DCSync technique to extract credentials for lateral movement.
According to the cybersecurity company, the threat actors have been removed from affected systems before they can proceed.
Artic Wolf Labs notified Fortinet about the activity observed in this campaign on December 12, 2024. FortiGuard Labs PSIRT confirmed on December 17, 2024, that it is aware of the known activity and is actively investigating the issue.
To safeguard against such known security issues, Artic Wolf Labs recommends that organizations immediately disable their firewall management access on public interfaces and limit access to trusted users.
It also advises regularly upgrading the firmware on firewall devices to the latest version to protect against known vulnerabilities.
Cybersecurity firm Arctic Wolf disclosed on Friday that threat actors recently targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public In |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | “the 127 2024 2024: about access accessing according accounts across actively activity actors added addresses admin administrative advises affected after against also altered arctic artic attack attackers authentication aware been before began between blog campaign campaign” can changes cloudflare commit company compromised conducted confident configuration configurations confirmed connections considering constricted created creation credentials currently cybersecurity day dcsync december devices directly disable disclosed dns during environment environments establish existing exploitation exploited exposed extract extracting february firewall firewalls firm firmware first fortigate fortiguard fortinet four friday from gain gaining google had has have highly hijacked hunting ideal identified immediately including initial interfaces internet intrusions investigating involved issue issues jsconsole known labs last lateral latest likely limit logins loopback made making malicious management mid movement new notified november observed obtained october organization’s organizations other others phase phases popular portals post predominantly proceed protect psirt public published range ranging recently recommends reconnaissance regularly released remains removed researchers resolvers respectively safeguard scanning scans security separate sessions several some ssl substantial successfully such super suspected systems target targeted targets technique them third those threat through timelines trusted unauthorized unknown unusual upgrading use used user users using various vector verify versions version to victim vpn vulnerabilities vulnerability vulnerability’s vulnerable week where whether which within wolf wolf wrote in zero “mass |
| Tags | Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.