Zero-Day Bug Fueling Fortinet Firewall Attacks

A zero-day flaw is likely to blame for a series of recent attacks on Fortinet FortiGate firewall devices that have management interfaces exposed on the public Internet. Attackers are targeting the devices to make unauthorized administrative logins and other configuration changes, create new accounts, and perform SSL VPN authentication, researchers have found.

Researchers at Arctic Wolf have been tracking the campaign since they first noticed suspicious activity on FortiGate devices in early December, they revealed in a recent blog post. They observed threat actors gaining access to management interfaces on affected firewalls — the firmware versions of which ranged between 7.0.14 and 7.0.16 —  and altering their configurations. Moreover, in compromised environments, attackers also were using DCSync to extract credentials.

Artic Wolf released a security bulletin in December upon discovery of the campaign, while the recent blog post revealed more in-depth details, including the attackers likely exploiting a zero-day flaw. However, they have not “definitively confirmed” this initial access vector, though the compressed timeline across affected organizations as well as firmware versions affected by the campaign suggest that attackers are exploiting an as-yet-undisclosed vulnerability, according to the Arctic Wolf researchers.

Victims of the campaign did not represent a specific sector or organization size, suggesting “that the targeting was opportunistic in nature rather than being deliberately and methodically targeted,” they added.

The researchers didn’t provide details on the scope or volume of the campaign.

Cyber Abuse of the Fortinet Administrator Console

What alerted the researchers to the malicious activity “in contrast with legitimate firewall activities, is the fact that [attackers] made extensive use of the jsconsole interface from a handful of unusual IP addresses,” according to the post.  FortiGate next-generation firewall products have a standard and “convenient” feature that allow administrators to access the command-line interface through the Web-based management interface, the researchers explained.

“According to the FortiGate Knowledge Base, when changes are made via the Web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes,” they wrote. “In contrast, changes made via ssh would be listed as ssh for the user interface instead.”

The researchers do not have direct confirmation that such commands are used in the present campaign; however, the observed activities follow a similar pattern in the way they invoke jsconsole, they added.

“Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board,” the researchers wrote.

A Four-Phase Cyberattack, Still Ongoing

The researchers broke the campaign down into four phases that started in mid-November: It started with a vulnerability scanning phase, followed by a reconnaissance phase at the end of November, an SSL VPN configuration phase in the beginning of December, and then wrapping up with lateral movement from mid- to late December. However, they noted that the campaign is ongoing and they may uncover further activity in the future.

“These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access,” the researchers explained.

Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning the four phases of the campaign.

“Most of these sessions were short-lived, with corresponding logout events within a second or less,” the researchers wrote. “In some instances, multiple login or logout events occurred within the same second, with up to four events occurring per second.”

Don’t Expose Management Interfaces to Public Internet

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products widely exploited to breach networks. To protect against attack, organizations should never expose Fortinet device management interfaces on the public Internet, regardless of the product specifics, according to the researchers. Instead, access to these interfaces should be limited to trusted internal users.

“When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators,” they wrote in the post.

Administrators also should follow the common best practice of regularly updating firmware on the devices to patch any flaws or other security issues. Further, the researchers added, organizations also should ensure that syslog monitoring is configured for all of an organization’s firewall devices to increase the likelihood of catching malicious activity early.