Advertising
A threat research team observed a campaign of suspicious activity on Fortinet FortiGate firewall devices in early December 2024. By gaining access to the management interfaces of the affected firewalls, cybercriminals were able to change the firewall configurations, create new accounts, and use these user accounts to log into the SSL VPN portals.
In the compromised environments, threat actors were observed using DCSync to extract credentials. While the original access vector used is not yet confirmed, given the compressed time span in the organizations and the firmware versions affected, Arctic Wolf Labs estimates that the exploit of a zero-day vulnerability is very likely. Key findings from Arctic Wolf at a glance:
Advertising
- Arctic wolf has observed a campaign affecting Fortinet FortiGate firewall devices with management interfaces on the public Internet.
- The campaign includes unauthorized administrative logins to the firewalls' management interfaces, the creation of new accounts, SSL VPN authentication through these accounts, and various other configuration changes.
- Although Since the original access vector has not yet been definitively confirmed, a zero-day vulnerability is very likely.
- Urgent: Organizations should disable firewall management access via public interfaces as soon as possible.
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.