Executive Summary
In early December 2024, Arctic Wolf Labs identified a sophisticated cyberattack campaign targeting Fortinet FortiGate firewall devices. Unidentified threat actors exploited a suspected zero-day vulnerability to gain unauthorized access to the devices’ management interfaces, allowing them to alter firewall configurations and extract credentials using DCSync.
Community Impact
A successful compromise of FortiGate firewalls in this sector could result in unauthorized access to sensitive customer and loyalty program data, financial records, and payment systems. Attackers could exploit such access to disrupt point-of-sale systems, exfiltrate credit card data, or deploy ransomware, leading to operational downtime and reputational harm. According to Artic Wolf, in addition to locking down management interfaces, as a security best practice, regularly upgrading the firmware on firewall devices to the latest available version is advised to protect against known security issues. This report comes as the RH-ISAC Intelligence Team reported on Four Chinese APT Groups Target Critical Infrastructure Disruption, which included APT Volt Typhoon targeting critical infrastructure utilizing LOTL techniques to compromise Fortinet devices. RH-ISAC Core Members are also encouraged to review this report, the Artic Wolf Labs report, linked above, and ingest the Indicators of Compromise included below.
Technical Analysis
The attack on Fortinet FortiGate devices progressed through four strategic phases. First, threat actors conducted mass vulnerability scanning, exploiting a suspected zero-day vulnerability across devices running firmware versions 7.0.14 to 7.0.16. The actors utilized a jsconsole interface with spoofed loopback and public DNS IP addresses to avoid detection, initiating extensive login attempts. During reconnaissance, attackers made minor but suspicious configuration changes, likely to test access and establish control.
In the SSL VPN configuration phase, attackers created super admin accounts with randomized names or hijacked existing accounts, enabling SSL VPN access. They manipulated VPN portal settings, using non-standard ports and adding compromised accounts to VPN access groups. Once inside, attackers utilized DCSync with domain admin credentials to extract sensitive data and enable lateral movement within networks.
Traffic analysis revealed that HTTPS web management sessions from VPS-hosted IPs often preceded the malicious jsconsole activity. This suggests the attackers utilized web management access to exploit vulnerabilities before pivoting to internal reconnaissance and privilege escalation for later attacks.
Indicators of Compromise
Artic Wolf has provided a list of confirmed malicious IP addresses, with description provided.
Indicator | Description |
23.27.140[.]65 | • AS149440 – Evoxt Enterprise |
66.135.27[.]178 | • AS20473 – The Constant Company Llc |
157.245.3[.]251 | • AS14061 – Digitalocean Llc |
45.55.158[.]47 | • AS14061 – Digitalocean Llc |
167.71.245[.]10 | • AS14061 – Digitalocean Llc |
137.184.65[.]71 | • AS14061 – Digitalocean Llc |
155.133.4[.]175 | • AS62240 – Clouvider Limited |
31.192.107[.]165 | • AS50867 – Hostkey B.V. |
37.19.196[.]65 | • AS212238 – Datacamp Limited |
64.190.113[.]25 | • AS399629 – BL Networks |
