Arctic Wolf, a prominent cybersecurity firm, recently detected a widespread exploitation campaign targeting Fortinet FortiGate firewall devices. This campaign, tied to a critical vulnerability known as CVE-2024-55591, has been causing concern within the cybersecurity community. The vulnerability, which affects FortiGate firewalls with management interfaces exposed to the internet, was being exploited as a zero-day, meaning attackers had begun their campaign before Fortinet was aware and could issue patches. This exploitation has been ongoing since December and has prompted urgent updates from Fortinet and warnings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, confirmed to TechCrunch that this observed exploitation is linked to the newly confirmed CVE-2024-55591 vulnerability in Fortinet firewalls. Hostetler told TechCrunch that Arctic Wolf had ‘observed a cluster of intrusions affecting Fortinet devices in the tens,’ but notes that this only represents a ‘limited sample compared to the total actual number of devices that were likely affected.’. It’s also unclear who is behind the attacks on Fortinet firewalls, but cybersecurity researcher Kevin Beaumont writes on Mastodon that the vulnerability is ‘under exploitation by a ransomware operator.’ Hostetler said that ransomware attacks exploiting the bug are ‘not off the table,’ noting that in previous research, Arctic Fox ‘observed affiliates of ransomware groups such as Akira and Fog using some of the same network providers to establish VPN connectivity.’
Fortinet’s Response and CISA’s Warnings
Fortinet has responded by releasing patches to address this vulnerability. CISA has urged all Fortinet customers to promptly update their devices to mitigate the risk. Despite these efforts, concerns remain about the potential for ransomware attacks exploiting this bug. Hostetler warned that such attacks “are not off the table,” indicating that organizations should remain vigilant.
In addition to this recent exploitation campaign, Fortinet disclosed a separate breach in September involving customer data. This breach occurred when an attacker accessed “a limited number of files” stored on a third-party shared cloud drive utilized by Fortinet. Although the exact number of affected customers remains unclear, Tiffany Curci, a Fortinet spokesperson, declined to comment on the extent of the compromise.
Hostetler emphasized that the observed exploitation of FortiGate devices represents only a “limited sample compared to the total actual number of devices that were likely affected.” This points to the possibility that many more devices could be vulnerable if not promptly patched.
What The Author Thinks
The exploitation of the CVE-2024-55591 vulnerability in Fortinet firewalls is a significant wake-up call for cybersecurity vigilance. While Fortinet has acted quickly to release patches, the ongoing threat of ransomware attacks and the uncertainty surrounding the full scope of the exploitation raises concerns about how well organizations are prepared to handle such vulnerabilities. The discovery by Arctic Wolf underscores the persistent risk posed by zero-day vulnerabilities and highlights the need for businesses to stay ahead of potential cyberattacks. As the threat landscape evolves, it’s clear that swift and effective patching, along with increased awareness, will be key in mitigating the risks associated with these types of vulnerabilities.
Featured image credit: Johannes Weber via Flickr
Follow us for more breaking news on DMR