Since early December 2024, Arctic Wolf has been monitoring threat activity involving the malicious use of management interfaces on FortiGate firewall devices on the public internet. While our investigation into this activity is ongoing and the scope is yet to be fully determined, organizations running these products should ensure that they are adhering to security best practices for management access of firewall devices.
Management interfaces of firewalls have historically been a significant vector for initial access to deploy ransomware and other malicious activity, as witnessed in several recent campaigns:
- In August 2024, SonicWall disclosed CVE-2024-40766, a vulnerability granting unauthorized access to management and SSL VPN interfaces. This vulnerability was exploited to deploy Fog and Akira ransomware.
- In November 2024, the CVE-2024-0012 and CVE-2024-9474 vulnerabilities in Palo Alto Networks PAN-OS software were leveraged in a mass exploitation campaign uncovered by Arctic Wolf.
Recommendations
Limit Access to Management Interfaces on The Public Internet
For all firewall devices, Arctic Wolf strongly recommends restricting firewall management interface access to trusted internal networks as a security best security practice across all firewall configurations, regardless of vendor.
Please refer to vendor-specific documentation detailing configuration of management interface access. For Fortinet FortiGate firewall devices, see the following documentation for an outline of security hardening best practices: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/system-administrator-best-practices
Configure Log Monitoring for all Firewall Devices
To increase the likelihood of catching malicious activity early, ensure that syslog monitoring is configured for all of your organization’s firewall devices using our provided documentation.
