Attackers exploiting critical Fortinet zero-day vulnerability

Attackers are exploiting another critical Fortinet zero-day vulnerability that could allow a remote attacker to gain super-admin privileges over affected devices, including firewalls and SSL VPNs.

In a security advisory published on Tuesday, Fortinet disclosed an authentication bypass vulnerability it tracks internally as FG-IR-24-535 and was assigned CVE-2024-55591 by the National Vulnerability Database. The flaw affects several versions of FortiOS and FortiProxy products and received a CVSS score of 9.3 out of 10.

Fortinet confirmed it received reports of exploitation, but scope and attribution remain unknown. Users are urged to follow the recommended upgrade path using the vendors upgrade tool or to apply the workaround.

"Please note that reports show this is being exploited in the wild," Fortinet wrote in the security advisory.

Additionally, the advisory outlined indicators of compromise (IoCs) Fortinet observed during attacks including threat actors creating an administrative account on the device and a user group. Threat actors also added or changed other settings such as a firewall policy or address. The IoCs showed threat actors could gain access to a victim organizations' network by logging in the SSL VPN after being added as a local user.

Fortinet sent the following statement to Informa TechTarget:

We have been proactively communicating with customers to provide guidance regarding CVE-2024-55591 (FG-IR-24-535), including solutions and workarounds to help them mitigate their risk. There are instances where confidential advance customer communications can include early guidance regarding an advisory to enable customers to further strengthen their security posture in advance of a scheduled public Advisory. We continue to coordinate with government agencies and industry threat research organizations as part of our ongoing response and continue to recommend our customers follow the guidance outlined in the advisory, exercise timely patching practices, and continue monitoring their networks for unusual activity to help mitigate cyber risk. We continue to urge our customers to refer to the advisory and follow the guidance provided for CVE-2024- 55591.

November attack campaign

The exploitation of CVE-2024-55591 is apparently connected to a Fortinet attack campaign that Arctic Wolf observed targeting publicly exposed management interfaces on FortiGate firewalls beginning in November. The cybersecurity vendor published a blog post on Jan. 10 detailing the campaign and noted it involved unauthorized administrative logins to firewalls, the creation of new accounts and SSL VPN authentication through those accounts.

Arctic Wolf broke down the campaign into four stages. Attackers began scanning for vulnerabilities in mid-November and performed reconnaissance between Nov. 22 and Nov. 27. Subsequently, the unknown threat actor conducted SSL VPN configuration from Dec. 4 to Dec. 7 and moved laterally in the victim environment between Dec. 16 through Dec. 27.

It appears the attack scope is limited for now.

"In this campaign, we observed opportunistic exploitation of a handful of victim organizations," Arctic Wolf wrote in the blog post.

Arctic Wolf said it notified Fortinet of the malicious activity on Dec. 12. Fortinet confirmed it received the alert on Dec. 17 and stated the "activity was known and under investigation."

Arctic Wolf credited Mo Sharif, a member of its security service team, for discovery and Ruben Raymundo and Trevor Daher, also security service team members, for investigating the intrusions. "While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable," Arctic Wolf wrote in the blog post.

Informa TechTarget contacted Arctic Wolf regarding whether the campaign was related to CVE-2024-55591.

"[Arctic Wolf] Labs confirmed this is correct. The team said they are noting a significant overlap with our findings," Arctic Wolf Labs said.

Arctic Wolf urged users to limit access to management interfaces and ensure devices are not exposed to the internet. A broad range of attackers, including Chinese state-sponsored threat actors, have increasingly targeted Fortinet products in recent years. While attribution for CVE-2024-55591 exploitation has not been established, Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Informa TechTarget that activity could potentially be related to a ransomware gang.

"As a security operations company, we aim to protect our customers from threats by intervening as early as possible in the cyber kill chain. Unfortunately, this limits our visibility into later stages of the present campaign," Hostetler said. "What we can say is that ransomware is not off the table, and in previous research we have observed affiliates of ransomware groups such as Akira and Fog using some of the same network providers to establish VPN connectivity. This is not a definitive attribution however, as these same providers have been used by many other threat actors."

In September, Hostetler warned SonicWall users that the Akira ransomware gang was targeting devices through compromised SSL VPN accounts that were vulnerable to a SonicOS management access flaw tracked as CVE-2024-40766.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.