Zero-day Vulnerability Actively Exploited In Fortinet FortiGate Firewalls

Zero-day Vulnerability Actively Exploited In Fortinet FortiGate Firewalls

Summary

A campaign targeting Vulnerability (CVE-2024-55591, CVSS 9.6) in Fortinet FortiGate firewalls with management interfaces was exposed on the internet. Threat actors gained unauthorized access via the CLI console and made configuration changes, including adding super admin accounts and modifying SSL VPN settings. Although the exact vulnerability remains unconfirmed, exploitation of a zero-day is suspected. Organizations should immediately disable firewall management access to the public internet and update firmware.

Technical Description:

In December 2024, a campaign targeting Fortinet FortiGate firewall devices was identified. Threat actors exploited public-facing management interfaces to alter firewall configurations. Their activities included adding super admin accounts, manipulating SSL VPN settings, and extracting credentials through techniques like DCSync. The attack primarily used the CLI Console (jsconsole) for unauthorized admin logins, likely leveraging an unpatched vulnerability.

Phase 1: Vulnerability Scanning:

The initial phase involved scanning for vulnerable FortiGate devices with open management interfaces. Malicious activity began with numerous successful admin logins from unusual IP addresses, including loopback addresses and well-known DNS resolvers like Google DNS and Cloudflare. These IPs are typically not used for legitimate jsconsole activity, suggesting the attackers had control over them and were actively seeking vulnerable devices.

Phase 2: Reconnaissance:

Following the initial logins, attackers began performing reconnaissance by editing system configuration settings, such as toggling the console output behavior. These early configuration changes likely served as a way to test and verify successful access to the firewalls before making more impactful modifications.

Phase 3: SSL VPN Configuration Changes:

In the third phase, attackers escalated their actions by adding new super admin accounts to the compromised devices. They employed both randomly generated and hijacked existing user credentials to gain access to the firewall’s SSL VPN portal. New user accounts were added to existing VPN groups, and SSL VPN portals were configured to allow remote access.

Phase 4: Lateral Movement:

The final phase saw the attackers use established SSL VPN access to perform lateral movement within the compromised environments. DCSync was used to extract domain administrator credentials, enabling further access to sensitive systems. The attackers then disconnected before being able to carry out additional steps, possibly to avoid detection.

Potential Zero-Day Exploitation:

The rapid timeline and consistent exploitation across multiple versions of FortiGate firmware (7.0.14-7.0.16) strongly suggest the use of a zero-day vulnerability (CVE-2024-55591 ). The use of anomalous IP addresses for admin logins and the exploitation of management interfaces for SSL VPN access strongly point to a targeted and opportunistic attack.

Conclusion

This campaign highlights the significant risks associated with exposing management interfaces to the public internet. Despite ongoing investigations, it’s clear that misconfigurations like open management interfaces create attack surfaces that are frequently exploited. Organizations are strongly advised to secure these interfaces and apply patches to prevent future intrusions.

The exploitation of management interfaces on firewalls has serious consequences, including unauthorized access to network configurations, creation of admin-level accounts, and the potential for credential theft. Organizations are vulnerable to both remote access and lateral movement, which could lead to further compromise of sensitive systems. If left unchecked, these attacks can result in significant data breaches and operational disruptions.

Impact:

The exploitation of management interfaces on firewalls has serious consequences, including unauthorized access to network configurations, creation of admin-level accounts, and the potential for credential theft. Organizations are vulnerable to both remote access and lateral movement, which could lead to further compromise of sensitive systems. If left unchecked, these attacks can result in significant data breaches and operational disruptions.

Topics
Details
  • Tactic Name
  • Technique Name
  • Sub Technique Name
  • Attack Type
  • Targeted Applications
  • Region Impacted
  • Industry Impacted
  • IOC’s
  • CVE
  • Persistence, Credential Access, Initial Acces
  • External Remote Services, Create Account, Valid Accounts, OS Credential Dum ping, Exploit Public-Facing Application
  • Local Account, Default Accounts, DCSync
  • Vulnerability
  • Fortinet FortiGate
  • Global
  • All
  • IP 31[.]192[.]107[.]165
  • CVE-2024-55591
Technical Description:
Recommended Actions:
  1. Monitor log files for unusual CLI console logins or configuration changes.
  2. Employ multi-factor authentication for administrative access to firewall interfaces.
  3. Consider implementing network segmentation and VPNs to restrict access.
  4. Use intrusion detection systems (IDS) to identify suspicious activity.
  5. Please refer the IOC section listed at above table and consider blocking the IOCs at respective security controls:
IOC Category
Security Control
  • IP Address
  • URL
  • Domain
  • Hash
  • Email Addresses
  • Perimeter Firewall
  • Proxy / UTM
  • Proxy / UTM / Dns Security
  • Endpoints Security Controls
  • Email Security
References:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Upgrade-to-FortiOS-7-0-17-to-resolve-vulnerability/ta-p/370334

View all Advisories
Post Views: 31