Campaign targeting exposed FortiGate firewall management interfaces

Type

Campaign

Actors

❓Unknown

Pub. date

January 10, 2025

Initial access

0-day vulnerability

Impact

Data exfiltration

Observed techniques

Vulnerability exploitation Network lateral movement

Observed tools

DCSync

Targeted technologies

Fortinet Fortigate

References

https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

Status

Finalized

Last edited

Feb 6, 2025 3:20 PM

Threat actors recently targeted Fortinet FortiGate firewall devices with exposed management interfaces in a suspected zero-day campaign. Arctic Wolf observed unauthorized admin logins via the jsconsole interface, new account creation, SSL VPN configurations, and other system changes. The campaign unfolded in distinct phases: vulnerability scanning, reconnaissance, SSL VPN setup, and lateral movement. Anomalous IP activity, including spoofed loopback and DNS resolver addresses, marked early phases, while later stages involved credential extraction using DCSync. Firmware versions 7.0.14–7.0.16 were predominantly affected. The campaign appeared opportunistic, targeting diverse organizations and sectors without specific focus.