FortiGate Exploitation: Service Account Credentials at Risk

March 11, 2026 Faeem BLOGS, FORTINET 0

Cybersecurity researchers have uncovered a campaign where attackers exploit FortiGate Next‑Generation Firewall (NGFW) appliances to breach networks and steal sensitive service account credentials. The findings highlight how devices designed to protect organizations can become high‑value entry points when vulnerabilities or misconfigurations are left unpatched.

Attack Chain

  • Initial access:
    • Exploitation of known FortiGate vulnerabilities (CVE‑2025‑59718, CVE‑2025‑59719, CVE‑2026‑24858) or weak credentials.
    • Creation of rogue local administrator accounts (e.g., “support”) with unrestricted firewall policies.
  • Persistence:
    • Attackers periodically checked access, consistent with initial access brokers (IABs) preparing footholds for resale.
  • Credential theft:
    • Extraction of configuration files containing LDAP/AD service account credentials.
    • Decryption of stored credentials and authentication into Active Directory.
    • Enrollment of rogue workstations into AD for deeper access.
  • Lateral movement:
    • Network scanning initiated once foothold was established.
    • Deployment of remote access tools like Pulseway and MeshAgent.
    • Use of PowerShell to download malware from AWS cloud storage.
  • Data exfiltration:
    • Java malware (via DLL sideloading) exfiltrated NTDS.dit and SYSTEM registry hive files.
    • Data sent to external servers over port 443.

Why It Matters

  • High‑value target: FortiGate appliances often integrate with Active Directory and LDAP, giving attackers access to authentication infrastructure.
  • Credential exposure: Service accounts tied to directory services are especially sensitive, enabling privilege escalation.
  • Operational risk: Attackers can pivot from firewall access to full domain compromise.
  • Motivations vary: Campaigns may serve both state‑aligned espionage and financially motivated ransomware operations.

Defensive Recommendations

  • Patch immediately: Apply fixes for FortiGate vulnerabilities and monitor vendor advisories.
  • Audit configurations: Review firewall policies and remove unnecessary administrator accounts.
  • Credential hygiene: Rotate service account credentials and enforce strong password policies.
  • Segmentation: Limit NGFW access to only trusted management networks.
  • Monitoring: Detect anomalous AD enrollments, PowerShell downloads, and DLL sideloading activity.
  • Threat hunting: Investigate for rogue drivers (e.g., RogueKiller, IObitUnlocker) that may indicate BYOD exploitation.

Final Thought

The FortiGate exploitation campaign demonstrates how network security appliances can become liabilities if left unpatched or misconfigured. For defenders, the lesson is clear: firewalls are not just protective barriers — they are privileged assets that demand the same rigorous patching, credential hygiene, and monitoring as any critical server.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.