Attacks exploit FortiGate devices for network infiltration

Misconfigured and vulnerable Fortinet FortiGate Next-Generation Firewall appliances have been harnessed to compromise the networks of healthcare and government organizations, as well as managed service providers, as part of a new attack campaign, The Hacker News reports.

Infiltration of a FortiGate NGFW appliance in November has enabled a threat actor believed to be an initial access broker to create a new local admin account that was then tapped to establish new firewall policies removing access restrictions, according to SentinelOne researchers. After periodically monitoring device access, the attacker proceeded to extract the configuration file with encrypted service account LDAP credentials in February, with the service account later used for environment authentication and Active Directory enrollment of deceptive workstations.

Another attack in January involved the use of firewall access to deliver the Pulseway and MeshAgent remote access tools, as well as load Java-based malware that pilfered NTDS.dit file and SYSTEM registry hive contents. Both incidents have been contained.