Zero-Day Attacks On Firewalls: Fortinet Issues Warning

Fortinet Issues Warning TN

Fortinet issues warning on a new Zero-Day attack on Fortinet Fortigate firewall devices with management interfaces exposed to the public. The campaign began around mid-November 2024 by accessing management interfaces, creating new admin accounts, changing configurations, and bypassing SSL VPN for lateral movement. The threat actors are unknown and they have taken advantage of this vulnerability to extract credentials using DCSync.

For context, a Zero-Day is an unknown software vulnerability exploited by hackers to gain entry into vulnerable networks, servers, and systems. It is called Zero-Day because it occurs before an organization becomes aware of it, giving them zero days to address the issue.

The firmware devices that were impacted and still underway on recovery range between 7.0.14 and 7.0.16, which were released in February and October of 2024.

Fortinet has confirmed that the attacks came in four waves:

  • Scanning and reconnaissance.
  • Configuration changes (e.g., enabling new admin accounts).
  • Creating local user accounts with VPN access.
  • Credential extraction for lateral movement.

Currently, Fortinet has given their response to update their firmware and minimize public-facing interfaces for controlling future threats.

Simply put, a fault in a firewall was used to gain bigger access, create an entryway for hackers, and move deeper into their networks. As a SOC service provider, we’d agree no security is too much security. If you harbor confidential data that can put an entire organization or a chain of clients at risk, then having 24/7 SOC monitoring can save you potentially costly losses and lawsuits.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect Your Business Today To Scale Tomorrow

Most breaches begin with a gap no one was watching. Tell us what you're protecting and our SOC analysts will pressure-test your defenses and show you exactly where you stand.

Email

sales@secucenter.com

Phone

+1 800 555 0100

Sales Office - United States

651, N Broad St, Middletown
Delaware-19709

Operations Center- India

Level 17, TransAsia Cyber Park
Kochi, Kerala-682030

Data privacy notice. All submissions are protected via TLS 1.3 encryption in transit and processed within our secure, air-gapped data environment. We never resell your data.