Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Tags

External References

• https://arcticwolf.com/
• https://otx.alienvault.com/

Description

A recent campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces has been observed. The threat actors gained unauthorized access to the firewalls' administrative controls, created new accounts, established SSL VPN connections, and made various configuration changes. While the initial access vector remains unconfirmed, a zero-day vulnerability is highly suspected. The campaign progressed through four phases: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement. Affected firmware versions ranged from 7.0.14 to 7.0.16. The attackers used jsconsole sessions with spoofed IP addresses and made suspicious configuration changes. Organizations are urged to disable firewall management access on public interfaces immediately to mitigate the risk.

Date