Fortinet warns of auth bypass zero-day exploited to hijack firewalls

Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

This security flaw (tracked as CVE-2024-55591) impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module.

Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones they also add.

They’ve also been observed adding or changing firewall policies and other settings and logging in to SSLVPN using previously created rogue accounts “to get a tunnel to the internal network.”

While the company didn’t provide additional information on the campaign, cybersecurity company Arctic Wolf released a report on Friday with matching indicators of compromise (IOCs), which says that Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since mid-November.

“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” Arctic Wolf Labs said.

“While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organizations should urgently disable firewall management access on public interfaces as soon as possible.”

Fortinet also advised admins in today’s advisory to disable the HTTP/HTTPS administrative interface or limit what IP addresses can reach the administrative interface via local-in policies as a workaround.

Arctic Wolf also provided a timeline for this CVE-2024-55591 mass-exploitation campaign, saying that it includes four phases:

1. Vulnerability scanning (November 16, 2024 to November 23, 2024)
2. Reconnaissance (November 22, 2024 to November 27, 2024)
3. SSL VPN configuration (December 4, 2024 to December 7, 2024)
4. Lateral Movement (December 16, 2024 to December 27, 2024)

“While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected,” the cybersecurity firm added.

“Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board.”

Fortinet and Arctic Wolf shared almost identical IOCs, stating that you can examine logs for the following entries to determine if devices were targeted.

After logging in through the vulnerability, the logs will show a random source IP and destination IP:

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

After the threat actors create an admin user, a log will be generated with what appears to be a randomly generated user name and source IP address:

type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

The security companies also warned that the attackers commonly used the following IP addresses in attacks:

1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4

Arctic Wolf says it notified Fortinet about the attacks on December 12, 2024, and received confirmation from FortiGuard Labs PSIRT on December 17, 2024, that this activity was known and was already under investigation.

Today, Fortinet also released security patches for a critical hard-coded cryptographic key vulnerability (CVE-2023-37936). This vulnerability allows remote, unauthenticated attackers with the key to run unauthorized code via crafted cryptographic requests.

In December, Volexity reported that Chinese hackers used a custom post-exploitation toolkit dubbed ‘DeepData’ to exploit a zero-day vulnerability (with no CVE ID) in Fortinet’s FortiClient Windows VPN client to steal credentials.

Two months earlier, Mandiant revealed that a Fortinet FortiManager flaw dubbed “FortiJump” (tracked as CVE-2024-47575) had been exploited as a zero-day to breach over 50 servers since June.