Fortinet FortiGate Firewalls Vulnerability - Publicly Exposed Management Interfaces

A recent campaign has been identified by one of the domain expert company that is actively targeting publicly exposed management interfaces on Fortinet FortiGate firewall devices. This campaign involves unauthorized administrative logins, the creation of new administrative accounts, the establishment of SSL VPN connections, and various malicious configuration changes. While the initial method of access has not been definitively identified, a zero-day vulnerability is highly suspected. It is imperative that organizations take immediate action to disable firewall management access on public interfaces.

Campaign Overview Suspicious activities on Fortinet FortiGate firewalls were detected in early December 2024. Threat actors were able to gain access to management interfaces, allowing them to alter firewall configurations and extract credentials using DCSync. The speed and scope of the campaign across various firmware versions suggest a mass exploitation of a zero-day vulnerability.

Technical Background FortiGate firewalls allow administrators to access the command-line interface (CLI) via a web-based management interface. Changes made through the web-based CLI console are logged as "jsconsole," along with the source IP address. The newcli binary manages CLI connections, and a past vulnerability (CVE-2022-26118) demonstrated how threat actors could use new cli to add backdoor users by spoofing a loopback interface as the source IP address. Although direct confirmation is pending, the current campaign exhibits similar patterns in its use of jsconsole.

Campaign Phases The campaign can be broken down into four distinct phases:

• Vulnerability Scanning (November 16-23, 2024): The campaign began with vulnerability scanning. Unusual jsconsole sessions were observed, utilizing spoofed IP addresses such as loopback addresses (127.0.0.1) and public DNS resolvers (8.8.8.8, 1.1.1.1). Successful admin logins from these anomalous IP addresses, using the "admin" account, were frequently logged. There was also matching traffic on TCP ports 8023 (web CLI) and 9980 (internal web management interface), corresponding with the jsconsole activity.
• Reconnaissance (November 22-27, 2024): Threat actors started making unauthorized configuration changes, such as toggling the console output setting between "standard" and "more". This may indicate a preferred mode of interaction or a simple way to confirm successful access.
• SSL VPN Configuration (December 4-7, 2024): The threat actors sought to gain SSL VPN access. They created new super admin accounts with 5 or 6 alphanumeric characters. They also created local user accounts, which were added to existing VPN groups, and hijacked existing accounts, including the default guest account. Additionally, new SSL VPN portals with specific ports (e.g., 4433, 59449, 59450) were created. They established SSL VPN tunnels from VPS hosting providers. In some instances, the jsconsole activity referenced remote IP addresses rather than spoofed ones.
• Lateral Movement (December 16-27, 2024): After gaining SSL VPN access, the attackers used DCSync with domain admin credentials to extract credentials for lateral movement. The threat actors used a workstation hostname of kali.

Key Observations

• The attacks made extensive use of the jsconsole interface from unusual, often spoofed, IP addresses.
• The firmware versions of affected devices ranged from 7.0.14 to 7.0.16.
• HTTPS web management traffic from VPS hosting providers' IP addresses was observed before jsconsole activity.
• The attacks appeared to be opportunistic, affecting a wide variety of sectors and organization sizes.

Response New detections have been implemented in a security platform to protect its Managed Detection and Response (MDR) customers. A security bulletin was issued in December 2024, warning of this activity. The vendor was also notified about the activity on December 12, 2024, and the vendor's PSIRT confirmed the activity was under investigation on December 17, 2024.

Remediation and Best Practices

• Disable firewall management access on public interfaces immediately.
• Regularly upgrade firewall firmware to the latest version to patch known vulnerabilities.
• Monitor for unusual jsconsole activity, particularly from spoofed or anomalous IP addresses.
• Monitor web management traffic on the WAN interface for traffic exceeding 1MB originating from VPS hosting providers, with session durations over 100 seconds.
• Monitor for unexpected SSL VPN logins originating from VPS hosting providers.
• Limit access to management interfaces to trusted internal users.

Indicators of Compromise (IOCs) Several IP addresses associated with VPS hosting providers were identified as indicators of compromise. These IPs were used for both SSL VPN client connections and web management interface clients.

Indicators of Compromise (IoCs)

Credit & Thanks to  Arctic Wolf Networks Inc

Conclusion: This campaign highlights the severe risks of exposing management interfaces on the public internet. Addressing such misconfigurations is essential to protect against this and other potential vulnerabilities. The technical details provided in this report should help organizations defend against the early stages of this campaign.