Full Report
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology
Analysis Summary
# Incident Report: FortiGate Appliances Exploited for Service Account Harvest
## Executive Summary
Threat actors are targeting FortiGate Next-Generation Firewalls (NGFW) to gain initial access to high-value networks in the healthcare, government, and MSP sectors. Attackers exploit known vulnerabilities and weak credentials to extract configuration files, decrypt service account credentials (LDAP/AD), and move laterally to enroll rogue devices or exfiltrate Active Directory databases. These incidents highlight the risk posed by edge appliances that maintain deep integration with internal authentication infrastructure.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** Initial access began as early as November 2025
- **Affected Organization:** Multiple undisclosed entities
- **Sector:** Healthcare, Government, and Managed Service Providers (MSPs)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** November 2025 (Case 1); January 2026 (Case 2)
- **Vector:** Exploitation of known vulnerabilities (CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or weak credentials.
- **Details:** Attackers breached FortiGate appliances and created a local administrator account named "support" to maintain persistent access.
### Lateral Movement
- Attackers set up four unrestricted firewall policies to allow traffic across all network zones.
- They enrolled rogue workstations into the Active Directory (AD) after harvesting service account credentials.
- Deployment of remote access tools including Pulseway and MeshAgent.
### Data Exfiltration/Impact
- Extraction and decryption of FortiGate configuration files containing LDAP/AD service account credentials.
- Use of Java-based malware via DLL side-loading to exfiltrate `NTDS.dit` (AD database) and SYSTEM registry hives for offline password cracking.
### Detection & Response
- **Detection:** In one instance, detection occurred during the network scanning phase following the enrollment of rogue workstations.
- **Response Actions:** Lateral movement was halted upon detection; affected systems were contained to prevent full credential compromise from the stolen NTDS.dit file.
## Attack Methodology
- **Initial Access:** Exploitation of N-day FortiOS vulnerabilities and credential stuffing/brute force.
- **Persistence:** Creation of local "support" admin accounts; deployment of RMM tools (Pulseway, MeshAgent).
- **Privilege Escalation:** Decrypting service account credentials stored in the firewall configuration.
- **Defense Evasion:** Use of DLL side-loading to execute Java malware; periodic connectivity checks to mimic legitimate traffic.
- **Credential Access:** Extraction of `fortidcagent` service account credentials and theft of the `NTDS.dit` file.
- **Discovery:** Network scanning and topology mapping via the harvested configuration files.
- **Lateral Movement:** Enrollment of rogue AD workstations; unrestricted firewall policies.
- **Collection:** Gathering of AD databases and registry hives.
- **Exfiltration:** Data sent to external IP `172.67.196[.]232` over port 443.
- **Impact:** Potential for full domain compromise and future ransomware deployment.
## Impact Assessment
- **Financial:** High potential loss due to Initial Access Brokers (IAB) selling access to ransomware affiliates.
- **Data Breach:** Compromise of service account credentials and Active Directory databases.
- **Operational:** Disruption to network security posture; necessity for organization-wide password resets.
- **Reputational:** Significant risk for MSPs and government agencies handling sensitive data.
## Indicators of Compromise
- **Network indicators:**
- `172.67.196[.]232` (Exfiltration IP)
- Traffic to cloud storage buckets (AWS infrastructure) via PowerShell.
- **File indicators:**
- Configuration backups extracted from FortiGate.
- `NTDS.dit` and SYSTEM hive staging files.
- **Behavioral indicators:**
- Creation of unauthorized local "support" accounts on firewalls.
- New firewall policies allowing unrestricted inter-zone traffic.
- Enrollment of unrecognized workstations in Active Directory.
## Response Actions
- **Containment:** Removal of unauthorized "support" accounts; revocation of rogue firewall policies.
- **Eradication:** Cleanup of MeshAgent/Pulseway installations and DLL side-loading payloads.
- **Recovery:** Full rotation of Active Directory service account credentials and LDAP bind passwords.
## Lessons Learned
- **Key Takeaways:** Edge appliances are high-value targets because they often hold "keys to the kingdom" through AD/LDAP integration.
- **Gaps:** Delayed detection between initial access (Nov) and lateral movement (Feb) indicates a need for better monitoring of firewall configuration changes and local account creation.
## Recommendations
- **Patch Management:** Immediately apply updates for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
- **Hardening:** Use Multi-Factor Authentication (MFA) for all administrative access to network appliances.
- **Least Privilege:** Limit the permissions of service accounts used by firewalls for AD/LDAP integration; avoid using Domain Admin equivalents.
- **Monitoring:** Implement alerting for any modifications to firewall policies or the creation of local administrative accounts on edge devices.