Photo credit: www.darkreading.com
A critical vulnerability, potentially a zero-day flaw, is believed to be responsible for a series of attacks on Fortinet’s FortiGate firewall devices, particularly those with exposed management interfaces on the public internet. Cybercriminals are attempting unauthorized administrative logins, modifying configurations, creating new accounts, and engaging in SSL VPN authentication, according to cybersecurity researchers.
Researchers from Arctic Wolf have tracked this malicious activity since recognizing unusual behavior on FortiGate devices in early December, as detailed in a blog post. They noted that attackers were able to access the management interfaces of affected firewalls using firmware versions between 7.0.14 and 7.0.16, altering configurations in compromised systems. Furthermore, in these environments, they utilized DCSync techniques to extract user credentials.
In December, Arctic Wolf issued a security bulletin to address the emerging threat. The latest insights suggest that attackers are exploiting a probable zero-day vulnerability, although the researchers have not conclusively identified how access was initially gained. The pattern observed across various organizations and firmware versions implies that an undisclosed vulnerability may be in play.
Interestingly, the victims of this campaign do not belong to any specific sector or size, indicating that the attacks appear to be opportunistic rather than methodically targeted.
Cyber Abuse of the Fortinet Administrator Console
The alarming activity prompted researchers to investigate further, specifically noting that attackers concentrated on the jsconsole interface from several unusual IP addresses. FortiGate’s next-generation firewalls are equipped with user-friendly features that allow access to a command-line interface through a web-based management portal, as the researchers explained.
According to the FortiGate Knowledge Base, any changes made via the web-based CLI console are logged as “jsconsole,” along with the relevant source IP address. Changes made through SSH are registered differently. While Arctic Wolf hasn’t confirmed direct use of such commands in this campaign, they observed activities consistent with previous patterns involving the jsconsole interface.
Researchers speculate that due to the distinct techniques and infrastructure observed, this campaign could involve multiple actors; however, the common use of the jsconsole suggests a shared methodology across the board.
A Four-Phase Cyberattack, Still Ongoing
The Arctic Wolf team categorized the ongoing campaign into four distinct phases starting in mid-November: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement. They emphasized that the campaign is active, with potential for identifying additional malicious activities as it progresses.
These phases were determined based on the type of configuration changes detected on the affected firewall devices across various victim organizations. During the campaign, successful jsconsole logins from anomalous IP addresses ranged from hundreds to thousands for each organization, spanning the campaign’s duration.
Most sessions were brief, often logging off within a second, with multiple login and logout attempts occurring simultaneously in some cases.
Don’t Expose Management Interfaces to Public Internet
Fortinet devices are increasingly becoming prime targets for threat actors due to vulnerabilities that can be exploited to gain unauthorized access. To safeguard against these threats, organizations are strongly advised never to expose management interfaces of Fortinet devices to the public internet. These interfaces should be restricted to trusted internal users only.
Leaving such interfaces open significantly broadens the potential attack surface, enabling attackers to discover vulnerabilities designed for trusted administrator access, the researchers cautioned. Regular firmware updates are also critical for patching existing flaws and enhancing security. Moreover, organizations should ensure syslog monitoring is properly configured across all firewall devices to detect any malicious activities early on.
Source
www.darkreading.com