Researchers warn of ‘mass exploitation’ of Fortinet FortiGate zero-day - Cyber Daily

Researchers warn of ‘mass exploitation’ of Fortinet FortiGate zero-day - Cyber Daily

Latest News on Fortinet Zero-Day Vulnerability Exploitation and FortiGate Firewall Security Breach

Overview of the Vulnerability

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy has been identified and is being actively exploited by unknown threat actors. Here are the key details:

  • Vulnerability Identifier: The vulnerability is tracked as CVE-2024-5559145.
  • Affected Versions: It impacts FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19, as well as FortiProxy versions 7.2.0 through 7.2.1245.

Nature of the Vulnerability

The vulnerability is an authentication bypass flaw that allows remote attackers to gain super-admin privileges by making crafted requests to the Node.js websocket module. This enables attackers to hijack Fortinet firewalls and breach enterprise networks45.

Exploitation and Attack Campaign

  • Initial Detection: The malicious activity was first observed in mid-November 2024, with Arctic Wolf researchers noting a campaign targeting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet145.
  • Attack Phases: The campaign involves four distinct phases:
    • Vulnerability Scanning (November 16, 2024 to November 23, 2024)
    • Reconnaissance (November 22, 2024 to November 27, 2024)
    • SSL VPN Configuration (December 4, 2024 to December 7, 2024)
    • Lateral Movement (December 16, 2024 to December 27, 2024)5.
  • Activities Observed: The attackers have been creating new admin or local users, adding them to SSL VPN user groups, changing firewall policies, and using rogue accounts to log in to SSL VPNs to gain access to internal networks145.

Indicators of Compromise (IOCs)

Arctic Wolf provided IOCs, including IP addresses associated with the threat actors, such as 1.1.1.1, 127.0.0.1, 2.2.2.2, 8.8.8.8, and 8.8.4.45.

Mitigation and Recommendations

  • Patches: Fortinet has released security patches for the affected versions45.
  • Workarounds: Fortinet advises disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach the administrative interface via local-in policies5.
  • Customer Communication: Fortinet has been proactively communicating with customers to provide guidance, solutions, and workarounds to mitigate the risk4.

Severity and Impact

The vulnerability has been awarded a critical severity score of 9.6 out of 10.0, indicating a high risk to organizations using the affected versions of FortiOS and FortiProxy. The exploitation of this vulnerability allows attackers to gain significant control over the network, making it a critical issue for enterprise security45.

This incident is part of a broader trend where threat actors are increasingly targeting network security devices such as firewalls and VPNs due to their strategic position as entry points to IT environments4.

For the most up-to-date information and specific guidance, refer to the advisories from Fortinet and the detailed analysis by Arctic Wolf:

  • [Fortinet Advisory on CVE-2024-55591]4
  • [Arctic Wolf Analysis on the Campaign]15