Full Report
FortiGate SSO flaws allows attackers to steal configs, abuse AD creds, deploy RMM tools, and exfiltrate NTDS files.
Analysis Summary
# Incident Report: Stolen FortiGate Service Accounts Lead to AD Compromise
## Executive Summary
Threat actors exploited vulnerabilities or misconfigurations in FortiGate edge devices to steal configuration files and Single Sign-On (SSO) service account credentials. These credentials allowed attackers to join rogue workstations to the victim's Active Directory (AD) environment, providing a foothold for deep network penetration. The incident resulted in the deployment of Remote Monitoring and Management (RMM) tools and the exfiltration of the NTDS.dit file, representing a total compromise of the domain.
## Incident Details
- **Discovery Date:** November 2024 (as per SentinelLabs reporting)
- **Incident Date:** Mid-to-Late 2024
- **Affected Organization:** Multiple undisclosed entities
- **Sector:** Diversified (including Technology and Manufacturing)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** T-0
- **Vector:** Exploitation of FortiGate Edge devices (potentially via CVE-2024-23113 or similar SSO/FGSP flaws).
- **Details:** Attackers accessed the FortiGate firewall to extract configuration backups. These backups contained sensitive information, including hashed passwords and SSO service account credentials used for Active Directory integration.
### Lateral Movement
- **T+2 Days:** Attackers decrypted or utilized the stolen SSO service account credentials.
- **T+3 Days:** Using these credentials, the threat actors joined "rogue" virtual machines (workstations) to the corporate Active Directory. This allowed them to bypass traditional NAC (Network Access Control) and appear as legitimate internal assets.
### Data Exfiltration/Impact
- **Final Stage:** Attackers utilized the rogue workstations to perform "DCSync" attacks or volume shadow copy creation to capture the `NTDS.dit` file (the Active Directory database).
- **Impact:** Successful exfiltration of the NTDS.dit file and the SYSTEM hive, allowing for offline cracking of all domain user passwords.
### Detection & Response
- **Discovery:** Inconsistencies in service account login patterns and the appearance of unauthorized hostnames in Active Directory.
- **Response:** Isolation of the compromised edge devices, global password resets for service accounts, and forensic imaging of suspected rogue virtual environments.
## Attack Methodology
- **Initial Access:** Exploitation of FortiGate vulnerabilities to obtain system configuration files.
- **Persistence:** Appointment of rogue workstations to the domain; installation of RMM tools like ScreenConnect or AnyDesk.
- **Privilege Escalation:** Exploiting the high-level permissions often granted to SSO Service Accounts (e.g., Replicating Directory Changes).
- **Defense Evasion:** Use of legitimate RMM tools and joining the domain to blend in with normal administrative traffic.
- **Credential Access:** Extraction of credentials from FortiGate configs; NTDS.dit exfiltration.
- **Discovery:** Scanning the internal network from the newly joined rogue workstation.
- **Lateral Movement:** Using RDP and SMB to move from the rogue workstation to Domain Controllers.
- **Collection:** Creation of Volume Shadow Copies (VSS) to bypass file locks on the AD database.
- **Exfiltration:** Transferring NTDS data and configuration files via RMM file transfer capabilities.
- **Impact:** Full identity compromise and long-term backdoor access.
## Impact Assessment
- **Financial:** High; includes forensic costs, incident response fees, and potential remediation of the entire identity infrastructure.
- **Data Breach:** Critical; all Active Directory credentials (hashes) for the entire organization were compromised.
- **Operational:** Moderate; focused on stealthy persistence rather than immediate disruption (e.g., ransomware).
- **Reputational:** Significant if the breach results in the secondary compromise of clients or partners.
## Indicators of Compromise
- **Network:** Outbound connections to defanged RMM domains (e.g., `*.screenconnect[.]com`, `*.anydesk[.]com`).
- **File:** Presence of unauthorized `ntds.dit` or `ntds.jfm` copies in `C:\Windows\Temp\` or non-standard paths.
- **Behavioral:**
- Unexpected `4624` logon events from service accounts starting with `FSSO_`.
- New computer objects created in AD by service accounts that do not typically have machine-joining responsibilities.
- Execution of `vssadmin create shadow /for=C:` on Domain Controllers.
## Response Actions
- **Containment:** Immediately revoked permissions for the compromised FortiGate SSO service accounts.
- **Eradication:** Formal teardown of rogue workstations and removal of unauthorized RMM software.
- **Recovery:** Full "Golden Ticket" remediation, including rotating the KRBTGT account password twice and forcing a global password reset.
## Lessons Learned
- **Credential Over-Privileging:** SSO service accounts often have more permissions than required (e.g., Domain Admin or Account Operator).
- **Edge Device Exposure:** Firewalls are no longer just "the shield"; they are high-value targets containing the "keys to the kingdom."
- **Inadequate Monitoring:** Many organizations monitor user logins but fail to alert on new machine joins performed by service accounts.
## Recommendations
1. **Apply Least Privilege:** Ensure FortiGate SSO accounts only have the specific permissions needed for directory interrogation, not full domain management.
2. **Hardened Backups:** Encrypt FortiGate configuration backups with a strong, unique master key that is not stored on the device.
3. **MFA for Admin Access:** Enforce Multi-Factor Authentication for all administrative access to edge networking equipment.
4. **AD Monitoring:** Implement alerts for any service account attempting to join a new workstation to the domain.