Summary:
Fortinet revealed a security lag in one of its FortiOS and FortiProxy systems, CVE-2024-55591. Attacks began in November 2024, attacking before the vendor released fixes. Remote attackers can take control of the systems with super admin privileges by sending specially crafted requests to exploit the Node.js websocket module. Versions 7.0.0 to 7.0.16 of FortiOS and 7.2.0 to 7.2.12 of FortiProxy can be deemed vulnerable. Fortinet has released patches for FortiOS 7.0.17, FortiProxy 7.2.13, and FortiProxy 7.0.20. The vendor shared Indicators of Compromise (IoCs) for the lingering vulnerability to assist organizations in detecting and addressing a potential attack.


Campaign Details:
In November and December 2024, Arctic Wolf monitored an extortion-oriented campaign that leveraged a group of actively exploited vulnerabilities in Fortinet. It started with the scanning for the existence of vulnerabilities, reconnaissance, excessive access to SSL VPN, and sideways movement inside the affected systems. Low-volume opportunistic exploitation was noticed by the attackers across a few organizations; however, their motivations remained vague in nature.


Arctic Wolf contacted Fortinet in mid-December, and the company confirmed that it was aware and working to investigate the activity. The hackers likely exploited a zero-day vulnerability, now pegged as CVE-2024-55591, which allowed remote attackers to achieve super-admin privileges by crafting requests that targeted the Node.js websocket module in FortiOS and FortiProxy.


In addition, Fortinet's advisory on January 14 revealed 13 other critical vulnerabilities in its product suite, which also included CVE-2023-37936, a critical vulnerability in FortiSwitch that could allow remote code execution via specially crafted cryptographic requests. Fortinet has not indicated that these vulnerabilities are currently being exploited; however, they could be used to achieve account persistence, arbitrary file writes, authenticated command execution, brute-force attacks, configuration harvesting, and denial-of-service events.


Security Officer Comments:
The exploitation of the vulnerability points to the need for organizations to protect management interfaces exposed to the internet while timely applying relevant patches. Threat actors targeting Fortinet products usually attempt to exploit misconfigurations or unpatched vulnerabilities in order to achieve persistence and reconnaissance and conduct lateral movement. Organizations should prioritize the security of internet-facing devices and monitor for unauthorized access attempts, in particular, their FortiGate firewalls.


Suggested Corrections:

• Apply Patches: Update FortiOS to version 7.0.17 or higher and FortiProxy to versions 7.2.13 or 7.0.20.
• Limit Exposure: Restrict access to management interfaces to trusted IP ranges and implement strong access controls.
• Monitor IoCs: Utilize Fortinet's provided IoCs to identify potential compromises and unusual activity.
• Secure VPNs: Ensure SSL VPN configurations are hardened and monitored for unauthorized use.
• Incident Response: Investigate any signs of unauthorized account creation or configuration changes, and implement remediation as needed.

IOCs are available here.

Link(s):
https://www.securityweek.com/fortinet-confirms-new-zero-day-exploitation/
https://cyble.com/blog/fortinet-patches-authentication-bypass-zero-day/
https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/