Alert: NCSC issues advice following global targeting of Fortinet firewalls and VPN gateways
The NCSC has issued an alert regarding a global campaign targeting Fortinet firewalls and VPN gateways using brute-force and credential stuffing techniques. A threat actor has leaked a database of compromised credentials, prompting organizations to urgently check for exposure, investigate for unauthorized access or persistence, and perform factory resets on compromised devices.
Detection / HunterGoogle
What Happened
A global cyber attack campaign is currently targeting Fortinet firewalls and VPN gateways by guessing or reusing stolen passwords. The attackers have successfully stolen and leaked a database of login credentials. If your organization uses these Fortinet products, it is critical to check if your systems have been compromised. Affected organizations must completely reset their devices, as simply changing passwords will not remove the attackers if they have already gained access.
Key Takeaways
- Fortinet firewalls and VPN gateways are being targeted globally via brute-force and credential stuffing attacks.
- A threat actor has leaked a database of compromised credentials obtained from internet-facing FortiGate and VPN portals.
- Organizations are urged to check Hudson Rock's FortiBleed Checker to see if their domains are affected.
- Compromised devices require a full factory reset, as simply changing credentials is insufficient to remove attacker persistence.
Affected Systems
- Fortinet firewalls
- Fortinet VPN gateways
- FortiGate portals
- Fortinet edge devices with SSL VPN enabled
Attack Chain
Threat actors conduct brute-force, dictionary, and credential stuffing attacks against internet-facing Fortinet firewalls and VPN portals. Upon successful authentication, attackers may establish persistence on the device, which survives standard credential resets. The attackers have subsequently leaked a database of the compromised credentials.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — EDR agents typically cannot be installed directly on proprietary edge devices like Fortinet firewalls and VPN gateways. Network Visibility: Medium — Network monitoring can detect high volumes of authentication attempts, but successful VPN traffic is encrypted and difficult to inspect without decryption capabilities. Detection Difficulty: Moderate — While brute-force attacks generate noisy authentication failures, credential stuffing using valid accounts blends in with legitimate user activity.
Required Log Sources
- VPN authentication logs
- Firewall access logs
- Device management logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Attackers are attempting to log in using compromised credentials from other breaches. | VPN authentication logs | Initial Access | Low to Medium |
| Attackers have created unauthorized administrator accounts for persistence on edge devices. | Device management logs | Persistence | Low |
Control Gaps
- Lack of MFA on VPN and administrative interfaces
- Exposure of management interfaces to the public internet
Key Behavioral Indicators
- High volume of failed login attempts
- Logins from unusual geographic locations or known VPN/Tor exit nodes
- Creation of new administrative accounts on edge devices
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider checking Hudson Rock's FortiBleed Checker to determine if your domains are listed as compromised.
- If compromise is suspected, consider isolating the affected Fortinet device from the internet and internal network.
- Evaluate performing a factory reset on compromised devices, as changing credentials alone may not remove attacker persistence.
Infrastructure Hardening
- Evaluate whether management interfaces are exposed to the public internet and restrict access if possible.
- Consider updating Fortinet devices to the latest supported firmware versions and removing out-of-support systems.
- If supported, consider enabling PBKDF2 as the hash function for administrator accounts.
User Protection
- Consider enforcing multi-factor authentication (MFA) on all VPN and device management logins.
- Evaluate changing all default, generic, or reused administrator passwords.
Security Awareness
- Consider educating users on the risks of password reuse across different services to mitigate credential stuffing attacks.
MITRE ATT&CK Mapping
- T1110 - Brute Force
- T1110.004 - Credential Stuffing
- T1133 - External Remote Services
- T1078 - Valid Accounts
- T1098 - Account Manipulation
