What?
Security firm Rapid7 has revealed two significant security incidents recently impacting Fortinet firewall customers. The first involved a newly disclosed zero-day vulnerability, CVE-2024-55591, in the FortiOS and FortiProxy security products. This vulnerability allows remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. The threat is particularly severe as it is actively being exploited in the wild, posing an immediate risk to affected systems.
The second incident was a data leak involving FortiGate firewalls. A threat actor known as "Belsen Group" published IP addresses, passwords and configuration data from 15,000 FortiGate firewalls on the dark web. Although the data appeared to be from 2022, it still represents a significant risk for organisations that have not updated their configurations or credentials since then. While no specific CVE has been attributed to this leak, it is suspected that a previous vulnerability, CVE-2022-40684, may have been the initial access point.
So what?
These incidents underscore the increasing frequency and sophistication of attacks exploiting zero-day vulnerabilities. A notable trend is the targeting of edge appliances, such as firewalls and VPNs, which are often the first line of defence in a network. Attackers are increasingly focusing on these devices due to their critical role in network security and their potential exposure to the internet.
The Fortinet incidents also reflect a broader trend of data breaches where older, unpatched vulnerabilities are leveraged to access sensitive information. This highlights the importance of maintaining up to date security practices and regularly updating systems to protect against both new and existing threats.
The incidents also illustrate the evolving threat landscape where cybercriminals are not only targeting current vulnerabilities but also exploiting historical data leaks. These trends necessitate a comprehensive approach to cybersecurity, including a robust incident response strategy and continuous monitoring. Indicators of compromise (IOCs) for CVE-2024-55591 can be found in Fortinet's advisory.