Subject: Engage Report: Console Chaos – Fortinet FortiGate Firewall Exploitation
Tactics: TA0001 Initial Access
Technique: T1190 Exploit Public-Facing Application
Procedure:
- Threat actors scan for publicly exposed FortiGate firewall management interfaces.
- They exploit a probable zero-day vulnerability (later identified as CVE-2024-55591) to gain unauthorized access.
- Threat actors establish
jsconsolesessions, often spoofing IP addresses like loopback addresses or public DNS resolvers. - They make various configuration changes, create new admin accounts, and enable SSL VPN access.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.
Engagement Opportunity:
- Immediately disable public-facing firewall management interfaces.
- Enforce strong passwords and multi-factor authentication for all administrative accounts.
- Monitor firewall logs for suspicious
jsconsoleactivity, especially from unusual IP addresses.
Threat Actor: Unknown, possibly multiple groups due to variations in TTPs
Threat Objective:
Gain unauthorized access to internal networks, potentially for lateral movement, data exfiltration, or ransomware deployment.
Deception Opportunity:
- Deploy honeypot firewalls with exposed management interfaces to lure attackers and gather intelligence on their TTPs.
- Set up decoy VPN portals with fake credentials and sensitive-looking files to attract and trap attackers.
Sensor Data Placement: Kernel-Mode
Observable Level: Core to Sub-Technique or Technique
Scoring Rationale:
Detecting unauthorized configuration changes and account creation requires monitoring kernel-level events and identifying specific behaviors core to the exploitation of public-facing applications, such as modification of firewall rules, addition of new user accounts, and changes to VPN settings.
Link to Report:
Link to Report II.:
Additional Comments:
This attack campaign emphasizes the critical importance of securing management interfaces and implementing robust security practices for internet-facing devices.
Possible elements:
MSG (Pseudocode):
T1190 - Exploit Public-Facing Application Implementations Scan for Exposed Interfaces Exploit Zero-day Vulnerability (CVE-2024-55591) Establish jsconsole Sessions Spoof IP Addresses Configure Firewall and VPN Observables Exposed Management Interface Level 3: Core to Pre-Existing Tool or Inside Boundary Scoring Rationale: An exposed management interface is not inherently malicious but represents a significant vulnerability that attackers can exploit. Exploit Attempts Level 2: Core to Adversary-Brought Tool or Outside Boundary Scoring Rationale: Detecting the exploit itself relies on recognizing specific patterns or signatures associated with the vulnerability, which may vary depending on the attacker's tools and techniques. jsconsole Activity Level 4: Core to Some Implementations of (Sub-)Technique Scoring Rationale: While jsconsole activity is not always malicious, its use from anomalous IP addresses is a strong indicator of compromise in this specific campaign. Configuration Changes Level 5: Core to Sub-Technique or Technique Scoring Rationale: Unauthorized configuration changes, such as creating new admin accounts or modifying VPN settings, are central to the attacker's objective of gaining access and persistence. Notes * Defenders should prioritize securing public-facing infrastructure and implementing continuous monitoring and detection capabilities. * Deception opportunities can be created through honeypots and decoy systems to lure attackers and gather intelligence.