Arctic Wolf has warned the industry about ongoing malicious activity targeting the management interfaces of FortiGate firewall devices, which are exposed to the public internet.
According to the company, bad actors have been actively exploiting these interfaces since early December last year. While the total extent of the attacks is still being investigated, entities that use these products should review and tighten their security practices immediately.
Management interfaces on firewalls are a known target for malicious actors trying to gain initial access to company networks. They often lead to ransomware and other malicious acts.
Arctic Wolf stressed that similar attack patterns have been seen in other high-profile security incidents:
- In August 2024, SonicWall disclosed CVE-2024-40766, a vulnerability that enabled unsanctioned access to management and SSL VPN interfaces. This flaw was later used by malefactors to deploy Fog and Akira ransomware.
- In November 2024, the security company found a mass exploitation campaign involving CVE-2024-0012 and CVE-2024-9474, vulnerabilities that affected Palo Alto Networks PAN-OS software.
Limiting Access
“For all firewall devices, Arctic Wolf strongly recommends restricting firewall management interface access to trusted internal networks as a security best security practice across all firewall configurations, regardless of vendor,” the advisory says.
Those using Fortinet FortiGate firewalls are urged to follow guidance issued by each vendor for securing and hardening their devices; detailed best practices for system administrators can be found here.
In addition, Arctic Wolf advises businesses to configure log monitoring on all firewall devices by setting up syslog monitoring to detect anomalous activity as soon as possible. As the company’s investigation of this active threat continues, they are also advised to act quickly to limit their exposure and protect their critical infrastructure.
Always on the Hunt
Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf, says malicious actors are always looking for new sources of financial gain, and the vulnerabilities described here are another way entities can be exposed.
“The good news in this case is that the patch previously released by Fortinet should cover both vulnerabilities. The latest reports suggest that threat actors are going after the remaining organizations who were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed.”
He says when known vulnerabilities go unmitigated, bad actors are quick to exploit them. “The threat actor tied to the ransomware campaign described by Forescout appears to be using a familiar set of tools seen in past ransomware activity, while adapting their initial access techniques. When the LockBit 3.0 builder leaked in 2022, numerous groups began using it for their own independent campaigns, and this threat actor appears to be doing the same. Additionally, the structure of the ransom note bears similarities to that of other groups such as the now-defunct BlackCat/ALPHV ransomware variant. This illustrates how the threat actors hiding behind ransomware group names rebrand and adapt as their incentives and alliances evolve over time.”
Hostetler says entities who have not yet patched this vulnerability should do so as soon as possible and review their firewall security configuration to avoid becoming another statistic of this and other similar campaigns.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.