Malicious login events ranging from several hundred to several thousand have been deployed against Fortinet FortiGate firewalls with online management interfaces as part of a widespread campaign late last year that potentially involved a zero-day vulnerability, The Register reports.
Arctic Wolf Labs said after commencing suspicious jsconsole logins on targeted FortiGate firewalls' web-based command-line interface on Nov. 16, threat actors waited until early December to conduct extensive firewall configuration modifications aimed at facilitating SSL VPN access.
Aside from establishing new super admin accounts, attackers also took over existing accounts to enable the creation of SSL VPN tunnels, which was followed by credential harvesting for lateral movement.
"While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely, given the compressed timeline across affected organizations, as well as firmware versions affected," said researchers.
