Threat hunters are calling attention to a new campaign that has targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public internet. "The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes," cybersecurity firm Arctic Wolf said in an analysis published last week. The malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync. The exact initial access vector is currently not known, although it has been assessed with "high confidence" that it's likely driven by the exploitation of a zero-day vulnerability given the "compressed timeline across affected organizations as well as firmware versions affected." The firmware versions of devices that were impacted ranged between 7.0.14 and 7.0.16, which were released in February and October 2024 respectively. The campaign has been observed going through four distinct attack phases that commenced around November 16, 2024, allowing the bad actors to progress from vulnerability scanning and reconnaissance to configuration changes and lateral movement. "What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of…Read More