The threat actors behind the global “FortiBleed” credential harvesting campaign engineered a sniffer tool to compromise hundreds of thousands of FortiGate routers and turn them into passive stealers in a wave of attacks that’s now known to be much broader than initially thought. 

Researchers from SOCRadar have unpacked the attack chain behind the ongoing threat campaign, which they believe is targeting more than 430,000 FortiGate firewalls globally and has resulted in the breach of high-value targets such as a NATO-aligned defense contractor, according to a whitepaper published this week. 

Based on the observed activity, the threat actor is most likely an initial access broker (IAB) motivated by financial gain, according to SOCRadar, whose researchers reversed engineered the attack chain to understand the origin and nature of the attack. 

What they found is that FortiBleed has been ongoing since at least February and, given that tooling comments related to the campaign use the Cyrillic alphabet, the perpetrators are likely Russian. SOCRadar made a similar assumption when the campaign was revealed after researcher security researcher Volodymyr “Bob” Diachenko flagged a single exposed directory to lead the researchers to its discovery and subsequent disclosure.

Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign

Sniffer Turns Firewalls Into Stealers

The whitepaper reveals exactly how the attackers were able to engineer such widespread credential harvesting. SOCRadar discovered and analyzed a Golang tool dubbed FortigateSniffer, which “turns compromised firewalls into passive credential collectors across 24 authentication protocols,” according to the whitepaper.

“FortigateSniffer abuses the FortiOS built-in diagnostic command ‘-diagnose sniffer packet’ to passively capture authentication traffic from compromised FortiGate firewalls,” SOCRadar researchers wrote. “The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network flows.”

Further analysis suggests that parts of the workflow also may have been assisted by CyberStrike, an open source, AI-powered autonomous penetration testing agent, according to the researchers. The expanded scope of FortiBleed prompted the Cybersecurity and Infrastructure Security Agency (CISA) to urge organizations across both the private and public sectors to take immediate steps to harden their Fortinet environments.

FortiBleed Scope and Victimology

So far, attackers have managed to create 659 credential-harvesting pipelines using the tool, and already have stolen more than 110 million credentials, including RADIUS, NTLM, and Kerberos material, SOCRadar found. 

Related:Salesforce Data Thefts Continue via Klue App Compromise

Based on scale alone, the harvested credentials also “should be treated as an active risk condition with as much potential for damage as the original vector,” observes Gene Moody, field CTO with patch management firm Action1. 

“These datasets are frequently aggregated, repackaged, and sold in underground markets, lowering the barrier for less sophisticated actors to launch new campaigns,” he observes, making the theft achieved to date a dangerous proposition for defenders.

Key targets of the campaign are small-to-medium-sized businesses (SMBs) with less than 200 employees, particularly in the US and India, according to SOCRadar. However, the campaign is global and has already affected organizations in nearly 200 countries.

The campaign also spans multiple sectors, as revealed last week; however, the researchers now believe the key targeted sector is “IT services, likely selected to maximize downstream access,” according to the whitepaper.

Full Attack Chain Revealed

SOCRadar identified a five-step attack chain employed by the threat actor, beginning with reconnaissance and target prioritization. This is done by scanning the Internet for exposed FortiGate firewalls and other edge services, enriching the data with organization and revenue information, and ranking targets based on potential value.

Related:INC Ransomware Thrives by Mastering the Basics

Once targets have been identified, attackers use credential-stuffing and brute-force attacks against FortiGate administrative interfaces and SSH services to obtain valid credentials and footholds on Internet-facing devices.

Attackers deploy the FortigateSniffer post-compromise to abuse legitimate FortiOS diagnostic commands and passively capture authentication traffic across dozens of protocols. The tool extracts credentials, hashes, session cookies, and identity data without installing traditional malware.

The next step uses the attacker’s distributed GPU infrastructure to capture cracked hashes, while validated credentials are used for password spraying, Active Directory enumeration, Server Message Block (SMB) access, and lateral movement deeper into victim networks, according to SOCRadar.

The attack culminates in the theft of sensitive files from network shares and the reuse of stolen Web-session cookies to gain authenticated access to internal applications. The threat actor can then use the resulting access and intelligence for follow-on ransomware and data extortion attacks or sell it for financial gain.

Defending Against FortiBleed

Given the ongoing nature of the campaign, SOCRadar continues to actively track it. The whitepaper includes a comprehensive list of indicators of compromise (IoCs) as well as a link to a tool that tests if an organization has been compromised by FortiBleed.

SOCRadar said organizations that have been compromised or think they may be targets should take the immediate following actions: Rotate all credentials tied to Fortinet VPN and administrative interfaces; enforce multi-factor authentication (MFA); remove FortiGate management interfaces from direct internet exposure; and review gateway and authentication logs for suspicious activity.

Even if compromise is not confirmed, organizations still should rotate credentials across all access immediately, especially since the campaign remains active, to avoid compromise in the future, Action1’s Moody advises.

“Remember credential reuse is impersonation; therefore activity can be legitimate at a glance, but may also be an admin logging in at atypical times, from atypical locations, etc.,” he says. “Many organizations may believe they avoided impact once the initial event passes. In reality, they avoided the initial blast and are later affected by the predictable aftershock.”





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *