Source URL: https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/
Source: The Register
Title: Miscreants ‘mass exploited’ Fortinet firewalls, ‘highly probable’ zero-day used
Feedly Summary: Ransomware ‘not off the table,’ Arctic Wolf threat hunter tells El Reg
Miscreants running a “mass exploitation campaign" against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say they’ve observed the intrusions.…
AI Summary and Description: Yes
**Summary:** The text details a mass exploitation campaign targeting Fortinet firewalls, believed to leverage an unpatched zero-day vulnerability. Security firm Arctic Wolf Labs has investigated a series of intrusions, documenting sophisticated techniques used by the attackers to compromise firewall configurations and steal credentials for lateral movement within victim networks.
**Detailed Description:**
– **Background:** Security researchers have identified a significant exploitation campaign against Fortinet firewalls, which peaked in December. The attackers are suspected of using an unpatched zero-day vulnerability.
– **Observations:** Arctic Wolf Labs detected this cluster of intrusions affecting Fortinet devices, with opportunistic exploitation leading to hundreds to thousands of malicious login events.
– **Initial Access:** Attackers gained entry through vulnerabilities in devices with internet-exposed management interfaces, suggesting a critical security flaw.
– **Exploitation Techniques:**
– Alteration of firewall configurations to create SSL VPN tunnels for persistent access.
– Credential theft to enable lateral movement across compromised networks.
– Monitoring continued without substantial updates regarding a confirmed vulnerability from Fortinet.
– **Comprehensive Activity:**
– Extensive use of the web-based command-line interface observed with massive login attempts from spoofed IP addresses.
– Configuration changes to facilitate SSL VPN access include the creation of new admin and user accounts.
– Attackers also hijacked existing user accounts and attempted substantial alteration of configurations.
– **Potential Threats:**
– While the exact motives remain unclear, concerns about ransomware attacks persist, considering previous associations with similar infrastructure and tools (notably, references to Kali Linux).
– An ongoing investigation was acknowledged by Fortinet, yet confirmation of specific vulnerabilities being targeted or mitigated has not been provided.
– **Conclusion:** This incident underscores the criticality of timely patching and responsiveness to security incidents, particularly regarding widely-used networking equipment. Security professionals must remain vigilant for signs of exploitation within network infrastructures and take proactive measures to safeguard their systems.
The implications of this report are significant for professionals in the fields of security, compliance, and infrastructure management, as it highlights the evolving nature of cyber threats and the urgent need for robust defenses against emerging vulnerabilities.