Widespread Fortinet firewall exploitation likely due to zero-day

Malicious login events ranging from several hundred to several thousand have been deployed against Fortinet FortiGate firewalls with online management interfaces as part of a widespread exploitation campaign that potentially involved a zero-day vulnerability between mid-November and late December, The Register reports.

After commencing suspicious jsconsole logins on targeted FortiGate firewalls' web-based command-line interface on Nov. 16, threat actors waited until early December to conduct extensive firewall configuration modifications aimed at facilitating SSL VPN access, according to an analysis from Arctic Wolf Labs. Aside from establishing new super admin accounts, attackers also took over existing accounts to enable the creation of SSL VPN tunnels, which was followed by credential harvesting for lateral movement. "While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected," said researchers.