Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Type

Campaign

Actors

❓Unknown

Pub. date

January 10, 2025

Initial access

0-day vulnerability

Impact

Data exfiltration

Targeted technologies

Fortinet Fortigate

References

https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

Status

Stub

Last edited

Jan 12, 2025 3:00 PM

Threat actors recently targeted Fortinet FortiGate firewall devices with exposed management interfaces in a suspected zero-day campaign. Arctic Wolf observed unauthorized admin logins via the jsconsole interface, new account creation, SSL VPN configurations, and other system changes. The campaign unfolded in distinct phases: vulnerability scanning, reconnaissance, SSL VPN setup, and lateral movement. Anomalous IP activity, including spoofed loopback and DNS resolver addresses, marked early phases, while later stages involved credential extraction using DCSync. Firmware versions 7.0.14–7.0.16 were predominantly affected. The campaign appeared opportunistic, targeting diverse organizations and sectors without specific focus.