Arctic Wolf has identified a campaign targeting Fortinet FortiGate firewall devices, where unauthorized administrative access was gained through exposed management interfaces. The attackers created new accounts, altered configurations, and exploited a potential zero-day vulnerability. Organizations are urged to disable public access to firewall management interfaces immediately. Affected: Fortinet FortiGate firewall devices
Keypoints :
- Campaign observed by Arctic Wolf targeting Fortinet FortiGate firewalls.
- Unauthorized logins on management interfaces led to configuration changes.
- Potential exploitation of a zero-day vulnerability is suspected.
- Attackers extracted credentials using DCSync in compromised environments.
- Organizations should disable public access to firewall management interfaces urgently.
MITRE Techniques :
- Initial Access: T1190: Exploit Public-Facing Application – Exploited public-facing FortiGate firewall management interfaces.
- Persistence: T1136.001: Create Account: Local Account – Created multiple local admin accounts.
- Persistence: T1133: External Remote Services – Modified SSL VPN configurations.
- Persistence: T1078.001: Valid Accounts: Default Accounts – Hijacked default guest account to obtain SSL VPN access.
- Credential Access: T1003.006: OS Credential Dumping: DCSync – Conducted a DCSync attack using a domain admin account.
Indicator of Compromise :
- [IP Address] 23.27.140[.]65
- [IP Address] 66.135.27[.]178
- [IP Address] 157.245.3[.]251
- [IP Address] 45.55.158[.]47
- [IP Address] 167.71.245[.]10
- Check the article for all found IoCs.
Full Research: https://arcticwolf.com/resources/blog-uk/campaign-targeting-publicly-exposed-management-interfaces-on-fortinet-fortigate-firewalls/