Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Multiple organisations may have been compromised in an intrusion campaign that ran throughout November and December last year.
Multiple threat actors have been observed exploiting a likely zero-day vulnerability in publicly exposed Fortinet FortiGate firewall devices during a multi-stage campaign in the last couple of months of 2024.
Security researchers at Arctic Wolf Labs spotted the activity in early December, and while the initial access vector remains currently unknown, they believe with “high confidence” that mass exploitation of the unidentified zero-day is likely occurring.
Arctic Wolf has so far identified four distinct phases of the campaign:
“These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organisations, and the activities that were taken by threat actors upon gaining access,” Arctic Wolf’s researchers said in a 10 January blog post.
“Note, however, that our portrayal of these phases may be incomplete or oversimplified given that our visibility is likely limited to a narrow subset of the overall activity in the campaign.”
The initial scanning phase has seen multiple successful login events from “anomalous IP addresses”, all using an admin account and targeting organisations across a variety of sectors. At much the same time as this activity, HTTPS web management traffic was observed on the same compromised devices.
Arctic Wolf observed between several and several thousand login attempts during this phase, most just lasting seconds, and often multiple times a second.
“The diversity of victim organisation profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted,” Arctic Wolf said.
In the reconnaissance phase, researchers began seeing the first configuration changes, which were made across several victim organisations. The purpose of these changes, however, remains unknown and toggled a particular user interaction.
During the third phase, substantial configuration changes were observed to establish SSL VPN access. In some cases, intruders created super admin accounts, while in others, existing accounts were hijacked. Several further accounts were then created, alongside new SSL VPN portals.
“Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices,” Arctic Wolf said.
“All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers.”
Finally, once SSL VPN access, the intruders extracted further credentials to achieve lateral movement. According to Arctic Wolf, at this point, the threat actors were removed from the impacted systems before they could do anything else.
Fortinet was informed of the campaign on 12 December, with the company confirming it was actively investigating the incident on 17 December. The firmware versions of affected devices were between 7.0.14 and 7.0.16.
Arctic Wolf recommends that organisations should disable firewall management access on public interfaces as urgently as possible.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
