Full Report
Barracuda’s Managed XDR team recently contained a determined and complex attack by a ransomware gang. The attackers had been trying to find a way into a manufacturing company’s network since December 2024 and finally succeeded by exploiting an exposed firewall vulnerability.
Analysis Summary
# Incident Report: FortiGate Zero-Day Exploitation Leading to Ransomware Attempt
## Executive Summary
A manufacturing company was targeted by a determined ransomware group starting in December 2024, ultimately succeeding in January 2025 by exploiting a critical, unpatched FortiGate firewall vulnerability (CVE-2024-55591). Attackers gained administrative control, locked the victim out by deleting user accounts, attempted to deploy RansomHub ransomware via remote execution, but were contained by Barracuda Managed XDR before widespread encryption occurred.
## Incident Details
- Discovery Date: December 10, 2024 (Initial brute-force attempt)
- Incident Date: January 14, 2025 (Successful exploitation) to February 16, 2025 (Lockout/Ransomware attempt)
- Affected Organization: A manufacturing company
- Sector: Manufacturing
- Geography: Not explicitly disclosed (Attacker IPs from China, logins from Sweden/Chicago)
## Timeline of Events
### Initial Access
- **Date/Time:** December 10, 2024
- **Vector:** Brute-force attack against the firewall using the "admin" account, originating from a known malicious IP in China.
- **Details:** Detected and alerted by Barracuda Managed XDR; attack failed.
- **Date/Time:** January 3, 2025
- **Vector:** Reconnaissance via externally facing SMB connections.
- **Details:** Attackers spent 10 days exploring the network for weaknesses.
- **Date/Time:** January 14, 2025
- **Vector:** Exploitation of FortiGate zero-day vulnerability (CVE-2024-55591).
- **Details:** Attackers bypassed authentication to gain full administrative privileges on the vulnerable firewall.
### Lateral Movement
- **Date/Time:** January 30 – February 13, 2025
- **Details:** Attackers added two new administrative users ("Super Admin" and "Admin") to the firewall. On February 14, SSL-VPN logins were detected from Sweden and Chicago.
- **Methodology:** PSExec was installed on the domain controller and backup servers, likely to enable remote code execution (RCE) for lateral movement.
### Data Exfiltration/Impact
- **Date/Time:** February 16, 2025
- **Impact:** Attackers manipulated firewall policies, VPN settings, and XDR API integrations. They deleted all other user accounts and critical firewall rules, effectively locking the victim organization out of their network.
- **Payload:** Attackers attempted to deploy RansomHub ransomware across six servers using multiple executables simultaneously via remote execution.
### Detection & Response
- **Detection:** Barracuda Managed XDR detected the initial brute force, observed the reconnaissance, and crucially detected the final remote code execution attempt attempting to deploy ransomware.
- **Response Actions:** Impacted devices were immediately quarantined by Managed XDR, and the customer was alerted. SOC engineers worked with the target on investigation and recovery.
## Attack Methodology
- **Initial Access:** Exploitation of FortiGate firewall vulnerability (CVE-2024-55591) after initial brute-force attempts failed.
- **Persistence:** Creation of new administrative accounts ("Super Admin," "Admin") on the firewall.
- **Privilege Escalation:** Achieved full administrative privileges on the firewall via the zero-day exploit.
- **Defense Evasion:** Deleting existing user accounts and firewall rules to erase traces and lock out the legitimate administrator.
- **Credential Access:** Not explicitly detailed outside of firewall administration takeover.
- **Discovery:** Reconnaissance using external SMB connections.
- **Lateral Movement:** Use of PSExec on the domain controller and backup servers.
- **Collection:** Not explicitly detailed.
- **Exfiltration:** Not explicitly detailed, but the aim was likely data encryption/extortion.
- **Impact:** Attempted widespread ransomware deployment (RansomHub) and complete administrative lockout of the network infrastructure.
## Impact Assessment
- **Financial:** Not quantified, but investigation took approximately two weeks, implying significant costs.
- **Data Breach:** Not explicitly stated what data was accessed, but administrative control over the firewall and access to domain controllers/backup servers indicates high potential for compromise.
- **Operational:** Potential for full encryption and service disruption averted by quarantine; organization was locked out of network administration.
- **Reputational:** Not disclosed.
## Indicators of Compromise
- **Network indicators (Defanged):**
- `208[.]91[.]112[.]55`
- `80[.]94[.]95[.]248`
- `13[.]37[.]13[.]37`
- **File indicators (Executables used in ransomware deployment):**
- `3e9a87df1c99c3907f4a00f4d5902380960b78dd`
- `c4780dde6daaed7129c077ae3c569659296ca41f`
- `e2e35e9fc1a7bcdf21124cbdaaa41572d27ed88a`
- `9664762c8b1f62c355a5a786a1a1616c73aaa764`
- **Behavioral indicators:** Unauthorized "Zero" user creation, subsequent creation of "Super Admin" and "Admin" firewall users, use of PSExec on high-value servers, and remote deployment of RansomHub executables.
## Response Actions
- **Containment:** Impacted devices were immediately quarantined by Barracuda Managed XDR upon detection of RCE/ransomware attempt.
- **Eradication:** SOC engineers led an investigation to establish the point of entry and attack lifecycle. (Specific steps, like credential resets or system rebuilds, are implied in recovery.)
- **Recovery:** SOC team provided full incident guidance and assisted the target with recovery processes over approximately two weeks.
## Lessons Learned
- Attackers employ protracted, multi-stage attempts before finding a successful vector.
- Unmitigated high-severity vulnerabilities (like the FortiGate zero-day) leave organizations critically exposed, as they provide a direct path to administrative control.
- Layered defenses with extended visibility (XDR) are crucial for detecting malicious activity even after an initial breach.
## Recommendations
- Immediately install security updates or implement workarounds for all critical vulnerabilities, especially those facing the internet (like firewalls).
- Enforce Multi-Factor Authentication (MFA) on all externally accessible services, particularly VPN accounts.
- Enhance security posture with integrated solutions that provide extended visibility (XDR) to drastically reduce dwell time between initial access and response.