Full Report
Admins say attackers are still getting in despite recent patches FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box.…
Analysis Summary
# Incident Report: FortiGate Silent SSO Configuration Theft
## Executive Summary
A widespread attack campaign is targeting FortiGate firewalls, exploiting a persistent authentication bypass vulnerability (related to CVE-2025-59718) even on systems administrators believe are patched. Attackers are leveraging compromised SSO accounts to silently reconfigure firewalls, create backdoors, and exfiltrate sensitive configuration files, which provide internal network maps and credentials. The threat is characterized by rapid, automated activity requiring immediate administrative auditing and credential rotation.
## Incident Details
- Discovery Date: January 15 (Start of observed malicious activity by Arctic Wolf)
- Incident Date: Starting January 15, ongoing, with related activity noted since December (following initial patch release).
- Affected Organization: Multiple customers running FortiGate appliances protected by SSO (SAML).
- Sector: Unspecified (Likely broad impact across sectors using Fortinet).
- Geography: Unspecified (Global implication due to nature of advisory).
## Timeline of Events
### Initial Access
- Date/Time: Starting January 15 (Automated activity observed).
- Vector: Exploitation of Authentication Bypass through specially crafted SAML responses against SSO protections.
- Details: Attackers bypassed SSO login checks, suggesting a patch bypass for vulnerabilities originally patched in December's release (CVE-2025-59718).
### Lateral Movement
- Details: Once authenticated, attackers immediately executed commands to modify firewall rules and create new administrative accounts, indicating direct control over the device configurations rather than traditional internal lateral movement.
### Data Exfiltration/Impact
- Details: Attackers exported the full firewall configuration file (`running-config`). These files contain sensitive data, including internal network topology, credentials, and secrets.
### Detection & Response
- Date/Time: On or after January 15 (Detected by Arctic Wolf analysis).
- Details: Detection based on review of client activity logs showing rapid, coordinated configuration changes and the use of SSO credentials from a specific source IP.
## Attack Methodology
- Initial Access: Exploitation of SAML flaw in FortiGate SSO implementation (Patch Bypass of CVE-2025-59718).
- Persistence: Creation of new, unknown administrative user accounts on the FortiGate appliance.
- Privilege Escalation: Not explicitly required upon session establishment due to successful authentication bypass leading directly to administrative rights.
- Defense Evasion: The activity is silent, rapid, and leverages trusted SSO infrastructure, making it difficult to spot without deep log review.
- Credential Access: Config file exfiltration allows access to banked credentials stored within the firewall configuration.
- Discovery: Firewall configuration export effectively maps the internal network architecture.
- Lateral Movement: Configuration changes to VPN and firewall rules potentially open new ingress/egress paths.
- Collection: Exporting the entire firewall configuration file.
- Exfiltration: Transfer of the configuration file off the device.
- Impact: Unauthorized control over perimeter security devices, exposure of network secrets.
## Impact Assessment
- Financial: Not specified, but likely high due to remediation costs and potential subsequent network breaches.
- Data Breach: Highly sensitive internal network details, credentials (network access keys, VPN secrets), and security policy information.
- Operational: Configuration manipulation of perimeter security (VPNs, firewall rules) leading to potential service disruption or unauthorized access paths.
- Reputational: Damage to Fortinet's credibility regarding patch efficacy and potential organizational trust issues due to administrative scope being compromised.
## Indicators of Compromise
- Network Indicators (Defanged):
- Source IP observed connecting via SSO: `104.28.244.114`
- User-Agent observed: `[email protected]` (Note: This might be a misleading user-agent string used by the attacker).
- File Indicators:
- Exfiltrated FortiGate configuration backups.
- Behavioral Indicators:
- Rapid succession of actions: Login -> New Admin Creation -> Rule Modification -> Config Export, all occurring within seconds.
- Authentication occurring via SSO mechanism despite prior patching efforts against related CVEs.
## Response Actions
- Containment: (Implied/Recommended) Isolating compromised systems, temporarily revoking or auditing configurations/sessions tied to the SSO environment contacting the FortiGate.
- Eradication Steps: (Implied/Recommended) Deleting all unauthorized admin accounts discovered, immediately disabling administrative access until patched.
- Recovery Actions: (Implied/Recommended) Applying the upcoming FortiOS patches (7.4.11, 7.6.6, and 8.0.0), rotating all credentials found within exported configurations.
## Lessons Learned
- Persistent Vulnerabilities: Critical authentication bypass flaws can persist even after vendors announce fixes, particularly if patch rollups are incomplete (e.g., 7.4.10 missing the full remediation for CVE-2025-59718).
- Automated Exploitation: Attackers are employing highly automated methods that execute complex sequences (config modification + data theft) in seconds, demanding rapid, automated detection methods.
- Configuration Sensitivity: Firewall configurations are critical assets containing network blueprints and plaintext/hashed secrets; their direct export constitutes a major breach equivalent to full network reconnaissance documentation theft.
## Recommendations
- **Immediate Action:** Audit all FortiGate admin accounts for unauthorized additions and immediately rotate credentials exposed in configuration backups. Scrutinize all recent SSO login activity, prioritizing those originating from untrusted geographic locations or unusual hosts.
- **Patching Strategy:** Do not rely solely on the stated patch delivery in vendor advisories; proactively seek confirmation or test environments to verify remediation efficacy against known authentication flaws.
- **System Hardening:** Implement strict Multi-Factor Authentication (MFA) requirements for all administrative access, even where the underlying flaw bypasses standard SSO checks; investigate alternative administrative hardening measures if SSO is the vector.
- **Monitoring Elevation:** Enhance logging and alerting specifically focused on configuration file changes and administrative account creation on perimeter devices.