Full Report
Threat hunters are calling attention to a new campaign that has targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public internet. "The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes," cybersecurity firm
Analysis Summary
# Vulnerability: Mass Exploitation Campaign Targeting Publicly Exposed FortiGate Management Interfaces (Zero-Day Suspected)
## CVE Details
- CVE ID: Not explicitly assigned in the source material (Zero-day suspected)
- CVSS Score: Unknown (Severity implied high due to configuration changes and credential theft)
- CWE: Likely CWE-288 (Improper Access Control) or related Authentication Bypass/Improper Authorization weaknesses.
## Affected Systems
- Products: Fortinet FortiGate Firewalls
- Versions: Firmware versions ranging between **7.0.14** and **7.0.16**.
- Configurations: Devices with management interfaces **exposed on the public internet**.
## Vulnerability Description
Unknown threat actors are leveraging a suspected zero-day vulnerability to gain unauthorized administrative access to the management interfaces of vulnerable FortiGate firewall devices. Once authenticated, attackers perform configuration changes, establish unauthorized SSL VPN tunnels using newly created or hijacked accounts, and attempt to extract Active Directory credentials via DCSync. A key indicator of compromise, besides the malicious activity itself, is the extensive use of the `jsconsole` interface from unusual source IP addresses.
## Exploitation
- Status: **Exploited in the wild** (Observed campaign commencing mid-November 2024)
- Complexity: Implied **Medium to Low** for initial access, given the compressed timeline across diverse victims, suggesting automated or highly effective exploitation.
- Attack Vector: **Network** (Attacks target publicly exposed management interfaces).
## Impact
- Confidentiality: **High** (Credential extraction via DCSync, potential subsequent lateral movement).
- Integrity: **High** (Unauthorized configuration changes, creation of new admin accounts, installation of backdoors via VPN setup).
- Availability: **Medium** (Potential disruption if core firewall functions are altered, though TTPs focused more on persistence and data exfiltration).
## Remediation
### Patches
- No specific patch version corresponding to the initial zero-day exploitation is cited in the article. **Immediate action is required based on general vendor advisories for versions 7.0.14 through 7.0.16, and upgrading to the latest stable version is strongly recommended.**
### Workarounds
1. **Immediately restrict access** to FortiGate management interfaces (HTTPS/GUI/CLI).
2. Ensure management interfaces are **not exposed to the public internet**. Limit administrative access strictly to trusted internal networks or secure jump hosts using strict firewall policies.
3. Review firewall configuration for **unauthorized or suspicious administrative accounts** (`super admin` or other high-privilege accounts) created after mid-November 2024.
4. Review SSL VPN configurations for **suspicious local user accounts** added to existing access groups.
## Detection
- **Indicators of Compromise (IOCs):**
- Administrative logins originating from unusual, persistent IP addresses utilizing the `jsconsole` interface.
- Creation of new, unauthorized admin or local user accounts, especially those associated with SSL VPN groups.
- Creation of new, custom SSL VPN portals.
- Unexplained creation of outbound SSL VPN tunnels originating from the firewall appliance.
- **Detection Methods and Tools:**
- Monitor firewall logs (specifically management access logs) for anomalous login times or source IP addresses.
- SIEM correlation rules looking for evidence of configuration changes alongside new user creation involving high-privilege profiles.
- Network monitoring for outbound connections leveraged by newly created VPN accounts destined for VPS hosting providers.
## References
- Vendor Advisory: (None explicitly detailed for the zero-day, but general Fortinet security advisories should be monitored.)
- Incident Analysis: arcticwolf dot com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
- Incident Analysis: arcticwolf dot com/resources/blog/arctic-wolf-observes-targeting-of-publicly-exposed-fortinet-firewall-management-interfaces/