Summary: A new report from Arctic Wolf Labs reveals a campaign targeting Fortinet FortiGate firewalls, where threat actors exploited vulnerabilities to manipulate configurations and gain unauthorized access. The campaign, observed between November and December 2024, involved multiple phases of exploitation affecting various organizations.Threat Actor: Unknown | unknown
Victim: Organizations using Fortinet FortiGate firewalls | organizations using Fortinet FortiGate firewalls
Victim: Organizations using Fortinet FortiGate firewalls | organizations using Fortinet FortiGate firewalls
Key Point :
- Threat actors exploited management interface vulnerabilities to alter configurations and extract credentials.
- The campaign progressed through phases: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement.
- Automated attacks targeted a diverse range of organizations, indicating a lack of tailored approaches.
- Abnormal IP addresses and unusual login patterns were noted during the attack.
- Arctic Wolf Labs emphasizes the need to secure management interfaces from public exposure.
According to available information, organizations like Alorica, Edward Jones, CT Corp (Indonesia), RWJBarnabas Health, Travis Perkins, Druva, Pure Storage, PicPay, and GoDaddy are listed as companies utilizing Fortinet FortiGate firewalls, spanning across various industries including professional services, banking, healthcare, and distribution sectors; highlighting Fortinet’s reach in diverse company sizes and markets.