48,000+ internet-facing Fortinet firewalls still open to attack
Despite last week’s confirmation of and warnings about long-standing exploitation of CVE-2024-55591, a critical vulnerability affecting Fortinet Fortigate firewalls, too many vulnerable devices are still accessible from the Internet and open to attack: over 48,000, according to data from the Shadowserver Foundation.
CVE-2024-55591 exploitation
On January 10, Artic Wolf Labs researchers outlined an attack campaign targeting FortiGate firewalls with management interfaces exposed on the public internet by exploiting a zero-day vulnerability.
It involved attackers scanning for vulnerable devices, exploiting the zero-day, logging into the management interface as admin, changing the device configuration, creating new or hijacking existing accounts, creating new SSL VPN portals, establishing SSL VPN tunnels with the affected devices, and extracting credentials for lateral movement.
Fortinet publicly confirmed its existence and use a few days later, when it also revealed the vulnerability’s CVE number, the availability of patches and workarounds, and indicators of compromise associated with the campaign.
The company also said it had been “proactively communicating with customers to provide guidance regarding CVE-2024-55591” and intimated that they’ve been confidentially sharing early guidance with some customers before the publication of the advisory.
On the same day (January 14), the US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog.
What’s the latest?
According to Arctic Wolf, the campaign unfolded between November 16, 2024 and December 27, 2024.
On Friday, risk advisory firm Kroll stated that they’ve observed connections to FortiGate appliances from actor-controlled infrastructure that match reconnaissance activity starting on November 1, 2024.
“It is possible that this activity started earlier, but without access to the devices this is not possible to confirm,” said Associate Managing Director George Glass. “Kroll assesses that the campaign is opportunistic and is not confined to any industry or geography.”
The attackers’ ultimate goal is still unknown.
Organizations running FortiGate firewalls and FortiProxy web gateways should be implementing the provided security updates, removing management interfaces from the internet or limiting access to them to trusted internal users, checking for indicators for compromise and, if found, engaging in furter incident response actions.
Unfortunately, as Shadowserver data shows, many have yet to take the first two steps: On January 17, the organization detected approximately 52,000 vulnerable internet-facing FortiGate devices – five days later, that number has fallen to around 48,000.
The majority of these devices are located in Asia and North America.