A new report from Arctic Wolf Labs reveals a concerning campaign targeting publicly exposed management interfaces on Fortinet FortiGate firewalls. Threat actors exploited vulnerabilities to manipulate configurations, extract credentials, and establish unauthorized access, with activities spanning multiple phases between November and December 2024.
Arctic Wolf Labs began monitoring the activity in early December 2024, observing significant threats to organizations using FortiGate next-generation firewall (NGFW) products. The report states, “By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync.”
While the initial access vector remains unclear, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is a likely cause, citing the compressed timeline and widespread impact.
The campaign progressed through four distinct phases:
- Vulnerability Scanning (November 16–23, 2024): Threat actors used anomalous administrative logins via the jsconsole interface with spoofed IP addresses, including loopback addresses (127.0.0.1) and popular DNS resolvers such as Google Public DNS (8.8.8.8).
- Reconnaissance (November 22–27, 2024): Unauthorized configuration changes began, including edits to the system.console output settings, likely to verify access or facilitate further exploitation.
- SSL VPN Configuration (December 4–7, 2024): Threat actors established SSL VPN tunnels, created new super admin accounts with alphanumeric names, and hijacked existing accounts for VPN access. The report notes, “Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly.”
- Lateral Movement (December 16–27, 2024): Attackers leveraged DCSync to extract domain credentials, enabling potential lateral movement. Arctic Wolf intervened before further progression.
The campaign’s opportunistic nature targeted a diverse range of organizations across industries, suggesting automation rather than tailored attacks.
The report highlights several noteworthy behaviors:
- Abnormal IP Addresses: jsconsole logins originating from spoofed IPs, including loopbacks and public DNS resolvers.
- Frequent Logins and Logouts: Automated sessions with up to four events per second.
- Unusual Ports: SSL VPN portals configured on uncommon ports like 4433 and 59450.
Arctic Wolf Labs emphasizes the importance of securing management interfaces, stating, “Management interfaces should not be exposed on the public internet… Instead, access to management interfaces should be limited to trusted internal users.”
Arctic Wolf concludes, “These types of misconfigurations should be addressed promptly to protect against not only this vulnerability, but an entire class of other potential vulnerabilities in the future.”
Related Posts:
- Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
- PoC Releases for 0-day CVE-2024-21762 FortiGate SSLVPN Flaw, Over 133K Remain Vulnerable
- C3RB3R Ransomware Strikes Again: Exploiting the Confluence Vulnerability
- Fortinet FortiGate SSL VPN Pre-Auth RCE Vulnerability
