Global Brute-Force Attacks Target Fortinet Devices

A recent surge in brute-force attempts targeting Fortinet SSL VPNs has raised concerns about potential imminent attacks exploiting undisclosed vulnerabilities in Fortinet devices. GreyNoise, a cybersecurity intelligence service, reported two distinct waves of attacks. The first wave, observed on August 3, involved over 780 unique IP addresses triggering the Fortinet SSL VPN Bruteforcer tag, indicating a focused effort to compromise Fortinet’s SSL VPNs. Following this, a second wave emerged on August 5, characterised by a different TCP signature, which shifted the focus to Fortinet’s FortiManager – FGFM profile while still activating the Bruteforcer tag. This change in attack behaviour suggests that the same infrastructure or toolset may be pivoting to target another Fortinet service.

GreyNoise’s research indicates that spikes in attacker activity often precede the discovery of new vulnerabilities, with 80 per cent of cases leading to a CVE disclosure within six weeks. The correlation between increased brute-force attempts and future vulnerabilities in Fortinet products is significant. Recently, Fortinet has released patches for several vulnerabilities, including a FortiSIEM flaw with active exploit code and a medium-severity path traversal vulnerability in FortiManager. Additionally, there are reports of a 0-day remote code execution exploit for FortiOS VPN versions 7.4 to 7.6 being offered for sale on an underground forum. Administrators of Fortinet devices are advised to block traffic from malicious IPs, restrict access to trusted IPs, and implement best practices to enhance security against brute-force attacks. 

Categories: Cybersecurity Threats, Vulnerability Exploitation, Attack Patterns 

Tags: Brute-Force, Fortinet, SSL VPN, Vulnerabilities, Cybersecurity, Exploit, GreyNoise, FortiManager, Zero-Day, IPs