Summary: A new cyber campaign has targeted Fortinet FortiGate firewall devices with exposed management interfaces, leading to unauthorized access and configuration changes. The attackers exploited vulnerabilities to create new accounts and establish SSL VPN access for lateral movement within compromised networks.
Threat Actor: Unknown | unknown
Victim: Various organizations | various organizations
Key Point :
- The campaign began in mid-November 2024, with attackers gaining unauthorized access to firewall management interfaces.
- Attackers created new super admin accounts and modified existing user accounts for SSL VPN access.
- Malicious activities included extensive use of the jsconsole interface from unusual IP addresses.
- The campaign involved multiple phases, from reconnaissance to lateral movement, culminating in credential extraction using DCSync.
- Organizations are advised to restrict access to firewall management interfaces to trusted users only.
Source: https://thehackernews.com/2025/01/zero-day-vulnerability-suspected-in.html