Exploiting network points to hack victims
Cybersecurity experts have warned about a new campaign where hackers are exploiting FortiGate Next-Gen Firewall (NGFW) devices as entry points to hack target networks.
The campaign involves abusing the recently revealed security flaws or weak password to take out configuration files. The activity has singled out class linked to government, healthcare, and managed service providers.
Attack tactic
According to experts, “FortiGate network appliances have considerable access to the environments they were installed to protect. In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”
“This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device,” the experts added.
Misconfigurations opening doors for hackers
But the experts noticed that this access could be compromised by hackers who hack into FortiGate devices via flaws or misconfigurations.
In one attack, the hackers breached a FortiGate appliance last year in November to make a new local admin account “support” and built four new firewall policies that let the account to travel across all zones without any limitations.
The hacker then routinely checked device access. “Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne reported.
How was the account used?
After this, hacker leveraged the service account to verify the target’s environment and put rogue workstations in the AD for further access. Following this, network scanning started and the breach was found, and lateral movement was stopped.
The contents of the NTDS.dit file and SYSTEM registry hive were exfiltrated to an external server (“172.67.196[.]232”) over port 443 by the Java malware, which was triggered via DLL side-loading.
SentinelOne said that “While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment.”
Read the original article: