Full Report
Over the last month, Barracuda Managed XDR’s security solutions, threat intelligence and SOC analysts identified developments that organizations should be aware of, including rises in attempted data exfiltration and detection of packed malware.
Analysis Summary
# Incident Report: Rising Threat Landscape - FortiGate Exploits, Data Exfiltration, and Application Vulnerabilities
## Executive Summary
This report synthesizes threat intelligence observed over the last month, highlighting a significant 38% rise in attacks targeting FortiGate Firewall VPN services, indicating a pivot toward exploiting perimeter defenses for initial access. Concurrently, there was a 26% increase in attempted data exfiltration, shifting attacker focus towards theft and extortion. The report also flags critical, actively exploited zero-day vulnerabilities in CrushFTP and Next.js that grant unauthorized access to sensitive systems and web application data, necessitating immediate patching across organizations.
## Incident Details
- **Discovery Date:** Ongoing monitoring over the last month (reported findings)
- **Incident Date:** Ongoing activity observed over the last month
- **Affected Organization:** Multiple organizations (General Threat Landscape Analysis)
- **Sector:** Not specified (Applicable across all sectors using affected products)
- **Geography:** Not specified (Global threat trends)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing over the last month
- **Vector:** Exploitation of unpatched FortiGate Firewall VPN vulnerabilities (FG-IR-24-535) or CrushFTP vulnerability.
- **Details:** Attackers exploit authentication bypass in FortiGate to gain administrative privileges, or leverage the CrushFTP vulnerability (which allows authentication bypass) after PoC publication.
### Lateral Movement
- **Details:** FortiGate compromise allows attackers to change firewall settings, create malicious admin accounts, and gain access to internal networks.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing rise (26% increase observed)
- **Details:** Attackers are increasingly focusing on stealing valuable intellectual property and confidential data for extortion, often using stealthy methods like compression, steganography, or tunneling.
### Detection & Response
- **How it was discovered:** Barracuda SOC analysts identified significant statistical increases in specific attack types (FortiGate exploitation, exfiltration attempts) and flagged active exploitation of CrushFTP and Next.js.
- **Response actions taken:** Security providers are advising organizations to patch immediately and deploy compensating controls like MFA and geo-fencing.
## Attack Methodology
- **Initial Access:** Exploitation of known vulnerabilities (FortiGate VPN Auth Bypass, CrushFTP vulnerability) or leveraging externally accessible services like VPNs.
- **Persistence:** Not explicitly detailed, but likely involves creating new admin accounts (via FortiGate exploit) or installing backdoors (via unpatched services).
- **Privilege Escalation:** Authentication bypass in FortiGate leads directly to full administrative privileges. Next.js vulnerability allows bypass of authorization checks.
- **Defense Evasion:** Data exfiltration utilizes stealthy measures like compression, steganography, and tunneling to mimic normal traffic.
- **Credential Access:** Phishing and brute-force attacks are mentioned as general means to compromise credentials used for VPN access.
- **Discovery:** System reconnaissance implied following initial access to identify high-value data targets.
- **Lateral Movement:** Gaining access to internal networks via compromised firewalls.
- **Collection:** Gathering sensitive or confidential data, sometimes involving insiders or social engineering.
- **Exfiltration:** Increased rate of data removal via stealthy techniques (26% rise).
- **Impact:** Data breaches, financial loss, reputational damage, ransomware deployment (linked to RansomHub activity following FortiGate breach).
## Impact Assessment
- **Financial:** Potential regulatory fines, costs associated with incident response, and potential ransomware payouts. Loss of valuable intellectual property.
- **Data Breach:** Theft of sensitive or confidential data is the primary focus of the observed exfiltration trend.
- **Operational:** Potential disruption from ransomware attacks or service compromise (e.g., via Next.js manipulation).
- **Reputational:** Significant damage resulting from data breaches and regulatory non-compliance.
## Indicators of Compromise
(Note: Specific IoCs require defanging, but general categories based on the report include):
- **Network indicators:** Traffic patterns indicative of slow/stealthy tunneling or data movement; connections to known malicious infrastructure associated with RansomHub activity (if specific file were analyzed).
- **File indicators:** Presence of "packed" malware (noted as a 47% detection rise).
- **Behavioral indicators:** Unauthenticated access attempts to FortiGate VPNs; unusual administrative activity on firewalls; unauthorized file modification attempts on CrushFTP servers; authorization bypass attempts on Next.js applications.
## Response Actions
- **Containment measures:** Immediate patching of FortiGate, CrushFTP, and Next.js installations; enforcement of MFA on all external-facing services (especially VPN).
- **Eradication steps:** Auditing firewall configurations for unauthorized rules or accounts created by attackers; scanning for backdoors installed following application exploitation.
- **Recovery actions:** Restoring integrity to compromised web applications (Next.js) and file transfer services (CrushFTP); isolating segments if internal network access was achieved via firewall compromise.
## Lessons Learned
- Perimeter security devices (like FortiGate) that offer remote access are high-value targets; failing to patch these immediately leads to systemic compromise risk.
- Attackers are pivoting from purely destructive/encryption attacks (ransomware) towards data theft and extortion, requiring better controls over data egress.
- Vulnerabilities in widely used third-party software (CrushFTP, Next.js) carry severe risk, especially when PoCs are released before universal patching occurs.
- Lack of MFA and weak access controls significantly increase the attack surface accessible via external services.
## Recommendations
- Maintain an aggressive patch management strategy, prioritizing public-facing infrastructure and VPN services (e.g., FortiGate) immediately upon patch release.
- Enforce mandatory, non-bypassable Multifactor Authentication (MFA) for all external VPN access.
- Implement geo-fencing or conditional access policies to restrict VPN access only to authorized geographic locations.
- Conduct regular vulnerability scanning and maintain a complete inventory of all applications and tools in use, especially customer-facing tools like CrushFTP and web frameworks like Next.js.
- Deploy layered, integrated security solutions (XDR) for holistic monitoring across network, endpoint, and cloud to reduce dwell time.