Hackers Exploit Zero-Day in Fortinet Firewalls

Home/BOTNET, Exploitation, Internet Security, Security Advisory, Security Update, Zero Day Attack/Hackers Exploit Zero-Day in Fortinet Firewalls

Hackers Exploit Zero-Day in Fortinet Firewalls

Hackers are targeting Fortinet FortiGate firewalls with exposed management interfaces online.

Arctic Wolf reports that between November and December 2024, attackers exploited a suspected zero-day vulnerability to gain unauthorized access and alter critical network security setting.

The campaign targeting Fortinet devices with firmware versions 7.0.14 to 7.0.16 occurred in four phases:

  • Vulnerability Scanning (Nov 16-23, 2024): Attackers scanned for vulnerabilities, exploiting the jsconsole command-line interface, often using spoofed or unusual IPs like loopback addresses and public DNS resolvers to hide their actions.
  • Reconnaissance (Nov 22-27, 2024)
  • SSL VPN Configuration (Dec 4-7, 2024)
  • Lateral Movement (Dec 16-27, 2024)

Reconnaissance Phase
Attackers tested administrative access by making initial configuration changes. During the SSL VPN configuration phase, they created new super admin accounts or took over existing ones to deepen network infiltration.

They altered VPN portal settings, exploited default “guest” accounts, and used DCSync to steal credentials for deeper access to sensitive accounts.

Arctic Wolf’s lead researcher, Stefan Hostetler, highlighted that the activity resembled widespread opportunistic exploitation, with affected organizations experiencing hundreds to thousands of malicious login attempts on Fortinet firewalls.

Although the specific vulnerability is unconfirmed, experts suspect a zero-day flaw due to the rapid attacks across multiple organizations and firmware versions.

The campaign has impacted dozens of organizations across industries. Fortinet confirmed the attacks, stating that attackers had stolen sensitive data like IP addresses, credentials, and device configurations from FortiGate devices managed by compromised FortiManager appliances.

To address the threat, cybersecurity experts recommend the following steps:

  • Disable public access to FortiGate firewall management interfaces.
  • Update to the latest firmware versions.
  • Enable multi-factor authentication (MFA) for administrative accounts.
  • Monitor for unusual login activity or unauthorized configuration changes.
  • Perform thorough threat hunting to identify potential compromises.

Fortinet has added detections for this campaign to its Managed Detection and Response (MDR) platform and is actively investigating while developing patches.

This incident highlights the importance of securing network management interfaces and restricting access to trusted internal users. Staying proactive and vigilant is essential to protecting critical infrastructure from evolving cyber threats.

Post Views: 98
By | 2025-01-15T07:39:25+05:30 January 14th, 2025|BOTNET, Exploitation, Internet Security, Security Advisory, Security Update, Zero Day Attack|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!