Signs of intrusion: “This actor exhibits a distinct operational signature that blends elements of opportunistic attacks with ties to the LockBit ecosystem,” Forescout said in its analysis.”Mora_001’s relationship to the broader Lockbit’s ransomware operations underscores the increased complexity of the modern ransomware landscape where specialized teams collaborate to leverage complementary capabilities.”CISOs should note these consistent post-exploitation patterns across the incidents Forescout investigated:
creation of identical usernames across multiple victim networks;overlapping IP addresses used for initial access, post-exploitation, and command-and-control (C2) operations.similar configuration backup behaviors in compromised environmentsrapid ransomware deployment within 48 hours when conditions are favorable, with extended reconnaissance in environments with stricter security controls.CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on Fortigate devices running FortiOS before version 7.0.16 and that have internet exposed management interfaces.After word spread about the vulnerabilities and the proof-of-concept exploit, Forescout saw three types of attacks: Using the PoC, direct exploitation of the WebSocket vulnerability in exposed firewall interfaces, and by using direct HTTPS requests.
Attack tactics: After successfully exploiting the vulnerability and verifying access using randomized usernames, the threat actor consistently created local system admin users in nearly every incident. The newly created accounts included: forticloud-tech, fortigate-firewall and adnimistrator (misspelled administrator):CISOs should also note that in some cases, instead of relying on a single administrative account for all actions, the threat actor employed a chaining method, where each newly created administrative account was used to generate additional accounts. This approach is likely intended to complicate remediation efforts, making it more difficult to identify and revoke all compromised accounts.After creating local administrator accounts, Forescout found, the threat actor downloaded the firewall configuration file, which contains critical information about the device and the network, including policies, routes, keys and VPN configurations. Additionally, logs indicate configuration changes were made by the threat actor.The actor created a scripted automation task to resynchronize the forticloud-sync user with a super_admin profile and a known password daily at a specified time. Forescout said this ensured that even if the local account is manually removed from the firewall, it will automatically be recreated.The threat actor also tried, where possible, to create local VPN accounts to exploit. In environments without VPN capabilities or where the actor was unable to add VPN users, they attempted to log in to other firewalls using the credentials created on the initial compromised firewall. This was done through two distinct methods:
for firewalls configured in High Availability mode, the threat actor forced HA functionality to propagate the compromised configuration to additional firewalls within the same cluster. By triggering the HA sync process, they ensured that their backdoor accounts and automation scripts were replicated across the devices;for firewalls configured to use TACACS+ (Terminal Access Controller Access-Control System) or RADIUS (Remote Authentication Dial-In User Service), the threat actor attempted to VPN into the network. This method could succeed if any of the locally created users were also synchronized with Active Directory (AD) or via a Radius Community secret, allowing authentication through the Network Policy Server (NPS).After compromising the firewall, the threat actor moved laterally across the IT network, leveraging information from the compromised firewall’s configuration file and dashboards, prioritizing high-value targets including file servers, authentication servers and domain controllers, database servers, and other network infrastructure devices, then selectively exfiltrated data and encrypted servers.The actor primarily relied on Windows Management Instrumentation (WMIC) for remote system discovery and execution, said Forescout, and used SSH to access additional systems, particularly servers and network devices.As with other known vulnerabilities that go unmitigated, cybercriminals tend to make quick work of exploiting the gap between the release of a security patch and its installation, said Arctic Wolf’s Hostetler. “The threat actor tied to the ransomware campaign described by Forescout appears to be using a familiar set of tools seen in past ransomware activity,” he said, “while adapting their initial access techniques. When the LockBit 3.0 builder leaked in 2022, numerous groups began using it for their own independent campaigns, and this threat actor appears to be doing the same. Additionally, the structure of the ransom note bears similarities to that of other groups such as the now-defunct BlackCat/ALPHV ransomware variant. This illustrates how the threat actors hiding behind ransomware group names rebrand and adapt as their incentives and alliances evolve over time.”
Edge devices increasingly attractive targets: This research highlights that edge devices, including routers, VPN gateways, and others, are an increasingly attractive target for threat actors, Sai Molige, Forescout’s senior manager of threat hunting, said in an email. He said that CISOs and their security teams can take several steps to identify and assess potential risks in their environment. They can perform threat modeling on edge devices to better understand the exposure rate and the extent of an intrusion if and when it occurs, he noted. Once security teams have a full understanding of the implementation and function of these edge devices, they can:
use logging and monitoring to detect and hunt for malicious actions such as the download of configuration files that was not from legitimate admin activity. conduct regular audits on users to benchmark standard behavior and identify any deviations. audit regular operational procedures, such as the usage of automated scripts on edge appliances, to detect any deviations from the expected behavior.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3846180/report-on-ransomware-attacks-on-fortinet-firewalls-also-reveals-possible-defenses.html
