"Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor's earlier fix."
"The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files. Arctic Wolf said the campaign kicked off around January 15, with attackers spinning up VPN-enabled accounts and ripping out firewall configuration files in a matter of seconds - behavior strongly suggesting automation rather than careful, hands-on-keyboard work."
""However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path." "Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence," Windsor said."
Attackers are bypassing a December FortiCloud SSO patch by using a newly identified attack path that abuses SAML-based SSO in FortiOS. Compromised SSO accounts have been used to reconfigure FortiGate firewalls, alter settings, create backdoor administrator users, and exfiltrate configuration files. Arctic Wolf observed the campaign beginning around January 15, with rapid, automated behavior including creation of VPN-enabled accounts and swift removal of firewall configuration files. Fortinet confirmed unexpected logins on fully upgraded devices, identified the issue, and stated product security is developing a remediation and will issue an advisory with scope and timeline.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]