EXECUTIVE SUMMARY[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY[emaillocker id="1283"]
A recent campaign has targeted publicly exposed management interfaces on Fortinet FortiGate firewalls, exploiting a zero-day vulnerability now designated as CVE-2024-55591. Attackers leveraged unauthorized administrative access to these interfaces to create accounts, authenticate via SSL VPN, and alter device configurations. While the initial access vector remains unconfirmed, the campaign's timeline and impacted firmware versions suggest widespread exploitation. These firewalls, commonly used for network security, offer a web-based CLI interface that was exploited by threat actors, as evidenced by patterns of anomalous logins and configuration changes. This vulnerability, confirmed to enable authentication bypass, was observed across multiple sectors, indicating the opportunistic nature of the attacks.
The attack unfolded in distinct phases. Initial vulnerability scans revealed unusual jsconsole activity involving spoofed loopback and DNS resolver IP addresses. Reconnaissance followed with configuration changes like toggling console output settings. In the next phase, attackers created new admin accounts or hijacked existing ones, using them to establish SSL VPN tunnels. These accounts, often named with random alphanumeric patterns, were added to VPN access groups or new portals. Threat actors also modified VPN settings, including port configurations. Finally, attackers leveraged DCSync to extract credentials for lateral movement. Network traffic analysis revealed HTTPS activity from specific VPS hosting providers correlating with jsconsole logins. Key technical markers included web CLI traffic on ports 8023 and 9980 and anomalous session behaviors, such as rapid login/logout events.
This campaign highlights the dangers of exposing management interfaces to the public internet. By exploiting authentication bypass vulnerability, attackers gained control over FortiGate firewalls, conducted reconnaissance, and established persistent access via SSL VPN. The campaign’s phased approach underscores the attackers’ systematic exploitation of exposed interfaces. Observed traffic patterns and configuration changes reflect a coordinated effort to leverage vulnerabilities for widespread impact. Although the full scope of the attackers' objectives remains unclear, the provided technical details emphasize the necessity of proactive measures to mitigate such risks. The incident demonstrates how misconfigured or vulnerable systems can serve as entry points for broader attacks.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Persistence | T1136 | Create Account |
| T1133 | External Remote Services | |
| Defense Evasion | T1078 | Valid Accounts |
| Credential Access | T1003 | OS Credential Dumping |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/fortinet-fortigate-firewalls-under-attack-by-exploit-a-zero-day-vulnerability/