Fortinet, a leading cybersecurity company has been targeted by cybercriminals owing to a security flaw in the system.
The flaw allowed hackers to exploit an authentication bypass zero-day vulnerability in FortiOS and FortiProxy.
FortiOS is the operating system used by FortiGate firewalls, which are vastly deployed in enterprise networks for network security. Meanwhile, FortiProxy is a secure web proxy solution designed to provide web filtering, advanced threat protection, and SSL/TLS inspection.
Attackers allegedly managed to exploit critical vulnerabilities “to hijack Fortinet firewalls and breach enterprise networks”, according to Bleeping Computer.
As of now, the exploitation is only a suspect. It’s unclear if Fortinet firewalls were hijacked or not.
Exploiting Zero-Day Vulnerabilities
The California-based company says that attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones.
Essentially, the security flaw may have granted remote attackers super-admin privileges as a result of exploiting the zero-day authentication bypass vulnerability.
They sent malicious requests to the Node.js websocket module, which could lead to unauthorised access and control of affected devices.
Such admin access allows hackers to create rogue admin accounts, modify firewall settings, and access internal networks via SSL VPN.
Bleeping Computer also reported that attackers were observed to have added or changed firewall policies, adjusted other settings, and logged into SSL VPN using rogue accounts they created.
This allows them to establish a tunnel to the internal network and move further into the system.
Fortinet Exposed Since November
Arctic Wolf on Friday [January 10, 2025] in an official statement reported similar indicators of compromise (IOCs).
Since early December, Arctic Wolf has been observing a “campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet,” the statement reads.
This implies that Fortinet systems might have been affected since mid-November.
"The campaign involved unauthorised administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts and various other configuration changes," Arctic Wolf Labs stated.
"While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organisations should urgently disable firewall management access on public interfaces as soon as possible."
