Zero-Day Attacks On Firewalls: Fortinet Issues Warning

Fortinet issues warning on a new Zero-Day attack on Fortinet Fortigate firewall devices with management interfaces exposed to the public. The campaign began around mid-November 2024 by accessing management interfaces, creating new admin accounts, changing configurations, and bypassing SSL VPN for lateral movement. The threat actors are unknown and they have taken advantage of this vulnerability to extract credentials using DCSync.

For context, a Zero-Day is an unknown software vulnerability exploited by hackers to gain entry into vulnerable networks, servers, and systems. It is called Zero-Day because it occurs before an organization becomes aware of it, giving them zero days to address the issue.

The firmware devices that were impacted and still underway on recovery range between 7.0.14 and 7.0.16, which were released in February and October of 2024.

Fortinet has confirmed that the attacks came in four waves:

• Scanning and reconnaissance.
• Configuration changes (e.g., enabling new admin accounts).
• Creating local user accounts with VPN access.
• Credential extraction for lateral movement.

Currently, Fortinet has given their response to update their firmware and minimize public-facing interfaces for controlling future threats.

Simply put, a fault in a firewall was used to gain bigger access, create an entryway for hackers, and move deeper into their networks. As a SOC service provider, we’d agree no security is too much security. If you harbor confidential data that can put an entire organization or a chain of clients at risk, then having 24/7 SOC monitoring can save you potentially costly losses and lawsuits.