Threat Actors Exploit Fortinet Flaw in Firewall Attacks

In a Tuesday security advisory, Fortinet released patches for an authentication bypass bug that is being exploited in the wild. The flaw exists in several versions of the FortiOS operating system and FortiProxy web gateway. 

Key Details:

• The security flaw is tracked as CVE-2024-55591 and is critical severity 

• If successfully exploited, the flaw can allow remote attackers to gain super-admin privileges and execute unauthorized commands

• The vulnerability can be exploited by attackers through remotely sending crafted requests to the Node.js websocket module, according to Fortinet

FortiGate Attacks: In a post on Jan. 10, before Fortinet’s advisory, Arctic Wolf researchers highlighted attacks they said likely stemmed from a zero-day vulnerability, which targeted FortiGate firewall devices with management interfaces exposed on the public internet.

In a comment to Vulnerable U News, Arctic Wolf Labs researchers noted a “significant overlap” between the Indicators of Compromise (IoCs) outlined in Fortinet’s security advisory for CVE-2024-55591 and their threat activity findings. The researchers had notified Fortinet on Dec. 12 about the activity they observed in the campaign, and received confirmation from FortiGuard’s PSIRT team on Dec. 17 that the activity was under investigation.

“In early December, Arctic Wolf Labs observed a cluster of intrusions affecting Fortinet devices in the tens (rather than the hundreds) within a short timeframe,” according to an Arctic Labs statement shared with Vulnerable U News. “Most of these intrusions took place within three days of each other, but the campaign extended into the following weeks as well. The pattern of activity we observed was consistent with opportunistic widespread exploitation, given that each of the affected victim organizations had somewhere between hundreds to thousands of malicious login events on Fortinet firewall devices.”

The attackers gained unauthorized admin access to firewall management interfaces before creating new accounts, attempting to establish SSL VPN access, and making various other configuration changes. The objectives of the threat actors behind the attacks aren’t known, although researchers observed them extracting credentials using DCSync, a technique for abusing the Windows Domain Controller API in order to dump Active Directory credentials.

Vendor Reaction: Fortinet is urging customers to apply patches. Versions 7.0.0 to 7.0.16 of FortiOS are impacted, and the flaw has been fixed in versions 7.0.17 and above. For FortiProxy, versions 7.2.0 through 7.2.12 are vulnerable (with fixes available in version 7.2.13 or above) along with versions 7.0.0 through 7.0.19 (with fixes available in version 7.0.20 or above). 

Of note, only firewalls with HTTP/HTTPS management enabled on WAN interfaces are impacted, limiting the scope further, said Arctic Wolf researchers. Fortinet in its security advisory listed several workarounds, including disabling HTTP/HTTPS administrative interfaces or limiting IP addresses that can reach administrative interfaces via local-in policies.