Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls – Arctic Wolf

Arctic Wolf has observed a campaign targeting Fortinet FortiGate firewall devices that involves unauthorized logins, account creation, and configuration changes through management interfaces exposed on the public internet. The campaign is likely exploiting a zero-day vulnerability. Organizations are urged to disable public access to firewall management interfaces immediately. Affected: Fortinet FortiGate firewall devices

Keypoints :

Unauthorized administrative logins on Fortinet FortiGate firewalls.
Creation of new accounts and SSL VPN authentication through compromised accounts.
Configuration changes observed in compromised environments.
High confidence in exploitation of a zero-day vulnerability.
Organizations advised to disable public management access urgently.
Campaign phases include scanning, reconnaissance, SSL VPN configuration, and lateral movement.

MITRE Techniques :

Initial Access: T1190 – Exploit Public-Facing Application: Exploited public-facing FortiGate firewall management interfaces.
Persistence: T1136.001 – Create Account: Local Account: Created multiple local admin accounts.
Persistence: T1133 – External Remote Services: Modified SSL VPN configurations.
Persistence: T1078.001 – Valid Accounts: Default Accounts: Hijacked default guest account to obtain SSL VPN access.
Credential Access: T1003.006 – OS Credential Dumping: DCSync: Conducted DCSync attack using domain admin credentials.

Indicator of Compromise :

[IP Address] 23.27.140[.]65
[IP Address] 66.135.27[.]178
[IP Address] 157.245.3[.]251
[IP Address] 45.55.158[.]47
[IP Address] 167.71.245[.]10
Check the article for all found IoCs.

Full Research: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

Tags: PASSWORD, ZERO-DAY, DNS, PRIVILEGE, HUNTING, LATERAL MOVEMENT, CVE, VULNERABILITY