The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) has issued a critical alert regarding a widespread malicious campaign against Fortinet Firewalls and VPN gateways.
The campaign largely utilises exposed credentials and credential-based attacks, leading to potential compromise and further credential exposure.
Leveraging these credentials could enable malicious actor’s remote access to the devices and connected networks, as well as allow changes to various settings, including security controls.
ASD's ACSC has advised all organisations that use Fortinet Firewall or VPN services to rotate credentials, stating that all admin and VPN credentials should be rotated immediately, as well as ensuring devices are patched to prevent attackers from exploiting existing vulnerabilities in older firmware.
Organisations are also advised to restrict management interface exposure to reduce the attack surface of Fortinet infrastructure, ensuring firewall admin/management interfaces are not internet accessible unless necessary, plus enforcing Multi-Factor Authentication for all external interfaces to minimise the impact of stolen credentials.
Ensuring credentials are being stored with PBKDF2 hashing to prevent the offline brute forcing of credentials, with all admin accounts logged back into once devices are fully updated to force the encryption to change to PBKDF2, and examining logging for malicious activity, reviewing authentication logs and access logs and investigating abnormal logins or changes, also forms part of the ASD's advice.
.jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
.jpg&w=100&c=1&s=0){kind=logo}
.jpg&w=100&c=1&s=0)
