Type
Campaign
Actors
Unknown
Pub. date
January 10, 2025
Initial access
0-day vulnerability
Impact
Data exfiltration
Observed techniques
Vulnerability exploitationNetwork lateral movement
Observed tools
DCSync
Targeted technologies
Fortinet Fortigate
References
https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
Status
Finalized
Last edited
Feb 6, 2025 3:20 PM
Threat actors recently targeted Fortinet FortiGate firewall devices with exposed management interfaces in a suspected zero-day campaign. Arctic Wolf observed unauthorized admin logins via the jsconsole interface, new account creation, SSL VPN configurations, and other system changes. The campaign unfolded in distinct phases: vulnerability scanning, reconnaissance, SSL VPN setup, and lateral movement. Anomalous IP activity, including spoofed loopback and DNS resolver addresses, marked early phases, while later stages involved credential extraction using DCSync. Firmware versions 7.0.14–7.0.16 were predominantly affected. The campaign appeared opportunistic, targeting diverse organizations and sectors without specific focus.